Hackers used Avast's CCleaner breach to attack tech firms: research
Hackers who broke into widely used computer utility software in August tried to infect machines at Microsoft, Intel and other top tech firms
The hackers who broke into widely used computer utility software in August also tried to infect machines at Microsoft, Intel and other top technology companies, according to research by Cisco Systems.
That suggests the breach, disclosed on Monday, was far more serious than initially described by Piriform, maker of the infected CCleaner utility and now a part of Prague-based Avast Software.
Piriform and more recently Avast said in blog posts this week that no damage had been detected, although more than 2 million people had installed tainted versions of CCleaner.
Even though those versions allowed for remote communication with websites controlled by the hackers, Avast said alarm was unwarranted because the company cooperated with researchers and law enforcement and took control of the command sites early on.
But researchers at Cisco, one of the companies that had warned Avast of the attack, said that a control server seized by US law enforcement showed that the hackers had installed additional malicious software on a selected group of at least 20 machines.
It is unclear which companies housed those computers, but the data showed that the hackers had gone after networks at major technology companies. The list included Samsung, Sony, Akamai and Cisco itself.
“It’s like the bad guys cast a net and caught all the fish, but only wanted to infect the machines that were most interesting,” said researcher Craig Williams of Cisco’s Talos unit.
The attackers could have been using the foothold provided by CCleaner installations to steal technology secrets from those companies, Williams said.
More troubling, they could have been looking to get malicious code inside those companies’ products, which are used by high-value targets in government and business around the world.
Avast Chief Technology Officer Ondrej Vlcek confirmed that “a very small minority of the endpoints” had received subsequent infections. He said the company had been contacting affected firms quietly.
“We don’t believe in going public with any of this stuff while investigation is still ongoing,” he said. “We know that this is also the preference of the law enforcement personnel.”
Security firm Kaspersky Lab, Cisco and others said the attack reused code previously seen in hacks connected to Chinese authorities. But the code could have been stolen, so the CCleaner hackers might not be from that country.
Vlcek said consumer CCleaner users still did not need to restore their computers from backups.