Connect with us

Hi, what are you looking for?



Researchers Link CCleaner Attack to State-sponsored Chinese Hackers

The sophisticated supply chain attack that resulted in millions of users downloading a backdoored version of the popular CCleaner PC software utility was the work of state-sponsored Chinese hackers, according to a new report.

The sophisticated supply chain attack that resulted in millions of users downloading a backdoored version of the popular CCleaner PC software utility was the work of state-sponsored Chinese hackers, according to a new report.

The attack started with the compromise of a CCleaner server in early July, which allowed hackers to inject backdoor code in two versions of the tool, namely 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. Between August 15 and September 12, over 2.27 million users downloaded the infected binaries.

Investigation into the attack revealed that the backdoored code was only the first stage of the intended user compromise, and that a second-stage payload had been delivered to a small number of selected targets.

After finding the backup of a deleted database containing information on the infected machines, investigators discovered that a total of 1,646,536 unique machines (based on MAC addresses) reported to the command and control (C&C) server. The stage 2 payload, however, was served to only 40 of them.

Soon after the investigation started, the security researchers looking into the incident discovered some connections to a known group of Chinese hackers, but no definite attribution was made.

Now, Intezer researchers suggest that the attack was state-sponsored and that it can indeed be attributed to Chinese hackers that are part of the Axiom group.

Also referred to as APT17 or DeputyDog, the group was previously associated with Operation Aurora, which started in 2009 and targeted companies such as Google, Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, and Dow Chemical. The group specializes in supply chain attacks and Operation Aurora is considered one of the most sophisticated incidents ever.

According to Intezer, an analysis of the stage 2 payload used in the CCleaner attack provided a clear link to the Chinese hackers after the first payload (the backdoor in the installer) revealed shared code with Axiom group.

Advertisement. Scroll to continue reading.

While looking at the backdoor, the researchers discovered unique code implementation “only previously seen in APT17 and not in any public repository.” Now, they reveal that the stage 2 payload contains code that is an exact match to APT17 malware seen before.

“The author probably copied and pasted the code, which is what often happens to avoid duplicative efforts: rewriting the same code for the same functionality twice. Due to the uniqueness of the shared code, we strongly concluded that the code was written by the same attacker,” Intezer’s Jay Rosenberg notes.

Analysis of the stage 2 payload revealed that one of the dropped modules is another backdoor designed to connect to a few domains. It would also connect to an IP to grab the next stage payload, which the researchers haven’t been able to identify until now.

“The complexity and quality of this particular attack has led our team to conclude that it was most likely state-sponsored. Considering this new evidence, the malware can be attributed to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout that our technology was able to uncover,” Rosenberg concludes.

Related: Backup Database Reveals Scale of CCleaner Hack

Related: Attack on Software Firm Was Sophisticated, Highly Targeted

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.