Loading…
BSidesSF 2018 has ended
View analytic
Monday, April 16 • 11:00am - 11:30am
Supply Chain Attack Through CCleaner - Evidence Aurora Operation Still Active

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Last September, hackers broke into as many as 2.27 million accounts of a computer cleaning program while targeting telecom equipment companies in the United States, Japan, South Korea and Taiwan.
When Avast, which owns the program, looked at the computer logs, it found just 23 compromised computers at eight different companies. The hackers' program was specifically looking for companies on a list of telecom equipment manufacturers and a few telecommunication companies, attacking many but only infecting a portion.

Avast’s CCleaner software had a backdoor encoded into it by someone who had access to the supply chain, the main executable in v5.33.6162 had been modified.

The attack's analysis we did, showed a strong code connection between a unique implementation of base64 only previously seen in APT17 making a strong case about attribution to the same threat actor. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted specializing in supply chain attacks.

Our investigation got us to the conclusion that the complexity and quality of the CCleaner attack was most likely state-sponsored most probably to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout.

Presenters
avatar for Itai Tevet

Itai Tevet

CEO, Intezer
Itai possesses a combination of in-depth technical expertise and leadership experience in mitigating state-level cyber threats. He previously served as the head of IDF CERT, the Israeli Defense Force’s Cyber Incident Response team, where he led an elite group of cyber security professionals... Read More →



Monday April 16, 2018 11:00am - 11:30am
City View - Presidio