CCleaner Malware Has Possible Links to Chinese Hackers
Remember the CCleaner malware that affected millions of computers? Although the company provided swift patch updates to counter the infection, security researchers were worried enough to carry an investigative analysis. A trail of technical indicators identified by multiple security researchers point to the possibility of an elite Chinese group of hackers responsible for the act. These reports are not yet publicly reported and should probably be taken with a grain of salt.
A security analysis carried out by Israel’s Intezer Labs were able to decipher a pattern of coding in the CCleaner hack that was similar to the Winnti group – hackers who targeted online gamers and legitimate software vendors. Way back in 2011, Kaspersky released a report on the Winnti group and discovered that the group had Chinese origins. Fast forward to 2017 and the CCleaner malware consisted the same Trojan code that was used by none other than the Winnti group. CISCO and Intezar Labs are actively studying the attack and may have come up with some clues on the hacker’s intent and motive.
According to the report, ‘“Programmers often reuse code instead of rewriting it and this acts as a digital fingerprint,” explained Rosenberg. “Putting this into context in combination with our technology, our technology compares the code of these files to millions of other samples, malicious and legitimate. The fact this code was only found in the CCleaner hack and previous APT17 attacks (and not in any other software/malware in the world) is quite a strong link.”
Initially, it was assumed that the attack targeted all CCleaner users, however, close inspection reveals that less than 50 domains from the more than 2 million infected computers were infected with a second-stage backdoor implant that provided the attacker with additional access. This development points to a possibility that the attack was highly targeted instead of being random. The 50 domains were owned by brands as Sony, Samsung, ASUS, and VMware.
The group is not new to security firms. Over the years, they have been monitored, reported and analyzed by Kaspersky Lab and FireEye. The group’s main purpose lies in stealing intellectual property and is mighty interested in American products. It’s important to note that the group has strong connections to the ruling Communist Party of China and these findings were published with, ‘medium confidence,’ and could indicate that China is once more spying on America. The practice ceased to exist when Obama signed a treaty with then Chinese President Xi Jinping. Now however, this finding could mean serious security problems when America has to deal with Russian cyber espionage as well as Chinese spying.