Security researchers increasingly believe that an elite Chinese hacking group broke into British software maker Piriform to booby trap popular file cleaning program CCleaner, according to research and private analysis provided to CyberScoop.
New research published Monday by Israeli cybersecurity startup Intezer Labs, authored by senior security researcher Jay Rosenberg, adds support to the conclusion that Chinese hackers tried to gain access to a small number of multinational telecommunications and technology companies.
Although attributing a data breach to a specific hacker group remains an imperfect science, recently uncovered evidence contains technical indicators that overlap with those used by an advanced persistent threat (APT) group codenamed Axiom Group, security researchers at multiple cybersecurity firms told CyberScoop.
In addition to Intezer Labs’ analysis, several researchers spoke to CyberScoop on condition of anonymity because they were not authorized to discuss their separate but supporting findings publicly. Two of these researchers said they were able to attribute the CCleaner incident to Axiom, also known as APT17 or Winnti, with “medium confidence.”
“Programmers often reuse code instead of rewriting it and this acts as a digital fingerprint,” explained Rosenberg. “Putting this into context in combination with our technology, our technology compares the code of these files to millions of other samples, malicious and legitimate. The fact this code was only found in the CCleaner hack and previous APT17 attacks (and not in any other software/malware in the world) is quite a strong link.”
Axiom is believed to be a Chinese APT group made up of freelancers with some relation to the ruling Communist Party of China. Cybersecurity firms Kaspersky Lab and FireEye have each recorded the group’s operations in the past. According to Rosenberg, Axiom is largely interested in stealing valuable intellectual property.
Based on seperate investigations conducted in recent weeks by Cisco’s Talos team and Avast’s internal security team, the hackers rigged a legitimate software update mechanism in CCleaner to remotely dispense a backdoor implant to 2.27 million computers over the course of a month. The affected version of CCleaner (v5.33) was downloaded between August and September.
Piriform is a subsidiary of Avast.
Less than 50 domains from the more than 2 million infected computers also received a subsequent second-stage backdoor implant, which provided the attackers with additional access. These domains were owned by major technology brand like Intel, Sony, Samsung, ASUS, VMware and British telecommunications giant O2.
Craig Williams, a senior security researcher with Cisco Talos, previously told CyberScoop that while the attack first appeared designed to indiscriminately compromise a large number of computers around the world, it now seems to have been highly targeted.
Only a small number of private sector cybersecurity firms were able to examine this supplementary, second-stage evidence; with Intezer Labs and Cisco being two of the few. The secondary piece of malware is now providing researchers with some clues on the hackers’ intent, motive and techniques.
Intezer Labs was among the first companies to also recognize that the first stage payload, similar to the second, had strong indicators of Axiom Group activity. “Not only did the first payload have shared code between the Axiom group and [CCleaner’s backdoor], but the second did as well,” wrote Rosenberg.
Law enforcement is currently working with Avast to investigate the breach. The FBI did not respond to a request for comment prior to this article’s publication.
The findings are significant because if accurate it provides partial evidence that China is once again spying on private American companies after having agreed to cease the practice in 2015 after an arrangement was struck between former U.S. President Barack Obama and Chinese President Xi Jinping.