BSidesSF 2018

Last September, hackers broke into as many as 2.27 million accounts of a computer cleaning program while targeting telecom equipment companies in the United States, Japan, South Korea and Taiwan.
When Avast, which owns the program, looked at the computer logs, it found just 23 compromised computers at eight different companies. The hackers' program was specifically looking for companies on a list of telecom equipment manufacturers and a few telecommunication companies, attacking many but only infecting a portion.

Avast’s CCleaner software had a backdoor encoded into it by someone who had access to the supply chain, the main executable in v5.33.6162 had been modified.

The attack's analysis we did, showed a strong code connection between a unique implementation of base64 only previously seen in APT17 making a strong case about attribution to the same threat actor. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted specializing in supply chain attacks.

Our investigation got us to the conclusion that the complexity and quality of the CCleaner attack was most likely state-sponsored most probably to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout.