CCleaner attack on millions of computers sought out telecom firms, app’s owner says
SAN FRANCISCO — Hackers that broke into as many as 2.27 million accounts of a computer cleaning program were targeting telecom equipment companies in the United States, Japan, South Korea and Taiwan, security company Avast told USA TODAY Thursday.
The initial breach was reported on Tuesday. Hackers had hidden malware in CCleaner, a popular app that cleans cookies and junk programs from PCs and Android phones to make them run faster. Czech-based Avast bought the London-based firm Piriform, which produces the program, in July.
When Avast looked at the computer logs it was able to recreate after the attack, it found just 23 compromised computers at eight different companies. The hackers’ program was specifically looking for companies on a list of telecom equipment manufacturers and a few telecommunication companies, attacking many but only infecting a portion, AVAST wrote in a blog posted Thursday night.
There may have been other companies hit as well but Avast couldn’t access the records because the attackers experienced disk troubles and wiped the computer where they stored their stolen data, Avast CEO Vince Steckler told USA TODAY.
In the CCleaner attack, several million computers were infected with malware that had been hidden in the popular PC cleaning software. That malware then sent information back to the hackers about the compromised computers, including their Internet addresses and who had access to them.
When it found a company on its list of telecom providers, it deployed a second piece of malware that allowed the hackers to take over the computer and begin mining it for information.
This is what’s known as a watering hole attack, “because the lion lays in wait and sees hundreds of animals come by to drink but he only attacks the one he wants for dinner,” said Steckler.Unsuspecting company employees downloaded what they thought was an innocuous cleaning tool, which instead gave the attackers access to their corporate system — but only if they worked in the sector the hackers were targeting.
“They’re basically looking for an easy way into the corporate network rather than having to hack into it,” Steckler said.
In the vast majority of cases the malware ended up on the computer of someone not on the list of targeted companies and nothing happened, he said.
It’s not clear why the hackers were targeting that sector. One scenario is that the malware and the network to run it was created specifically to target telecom equipment companies.
But another is that the hackers built the network and then went looking for customers they could customize it for. So one month it might be rented out to someone looking for the industrial secrets of telecom equipment companies but the next month it might be focused on searching for secrets at aviation or food processing companies.
“Obviously with a piece of broadly distributed software like this, they could target lots of sectors,” Steckler said.
Late Wednesday, Cisco Talos, the security research arm of San Jose, Calif.-based Cisco, said it had found the malware contained a hidden “attack within the attack” that specifically targeted large tech companies, possibly to do commercial or state-level espionage. It had not narrowed the targets to telecom equipment companies.
Avast researchers didn’t name the companies it had identified. Some of the world’s top telecom gear makers include Cisco, Huawei and Ericsson.
The malware runs on code related to code used by a group known to work out of China. However, the code has been in use for quite awhile, so it’s possible at this point that someone else simply bought it, Steckler said.
Most disturbing of all is that the malware was able to hide itself in the CCleaner program for at least four weeks before it was discovered, so well-written that it didn’t trigger security systems and anti-virus programs.
“This was flying under the radar. So maybe there are others out there as well that we don’t know about,” Steckler said.