The malware attack on Windows utility CCleaner may have been more targeted and sophisticated than it seemed. In the days since the attack was announced, researchers have been poring through data from a seized command and control center, finding evidence that the attackers were using the compromise to target some of the world’s most powerful tech companies.
New posts from Avast and Cisco’s Talos research group detail the findings, as first reported by Wired. At the time the server was seized, the attackers were targeting a string of internal domains with a second-stage payload, designed to collect data and provide persistent access to any infected device.
The list of domains, published by Talos, reveals a number of major tech companies. “Ntdev.corp.microsoft.com” is an internal domain for Windows developers, while hq.gmail.com appears to be the internal Gmail instance for Google employees. Other targets include Sony, Samsung, Intel, and Akamai. The domains also include a German slot machine company and major telecoms in Singapore and the United Kingdom.
The list only includes domains that were targeted during the four days before the server was seized, so it’s entirely possible other companies were targeted earlier in the campaign. Still, the nature of the two-stage payload suggests the attack was targeted, aiming to break into specific companies rather than compromise millions of computers at once. “This was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” Avast researchers wrote. Researchers now estimate only 700,000 computers were exposed by the attack, down from earlier estimates of 2.2 million.
It’s still unclear which companies were successfully compromised. Talos registered at least 20 computers that were targeted by the payload, but researchers have not disclosed which companies were involved. It’s also unclear what the attackers were looking for, although Talos notes that the domains targeted “would suggest a very focused actor after valuable intellectual property.”
Neither group has made an official attribution, but Kaspersky researchers have noted significant overlapping code between the CCleaner attack and previous attacks by the Axiom threat group, a finding that Talos confirmed. Previous research has tied the Axiom group to Chinese intelligence services with moderate to high confidence.
Still, researchers are likely to learn more about the campaign in the weeks to come. Data from the initial command server has revealed several other servers used in the attack, which law enforcement is currently working to locate and seize.