Security Market Segment LS
Tuesday, 03 October 2017 08:08

Israeli firm revives theory of Chinese link to CCleaner hack Featured


An Israeli security firm has revived the theory that the attackers who compromised the CCleaner Windows utility last month were a Chinese state-sponsored group.

Jay Rosenberg, a senior researcher at Intezer, said in a blog post yesterday that based on an analysis of both the first and second stage payloads of the CCleaner malware, and code from the Axiom group, an entity linked to China, he had concluded that there was a very strong possibility that both were from the same source.

The claim of a Chinese link was first made by Avast, the owner of CCleaner, last month, and subsequently withdrawn. Avast became the owner of CCleaner when it acquired Piriform, the British company that owned the software.

The news that CCleaner had been compromised broke on 17 September, through a detailed blog post by Cisco's Talos Intelligence Group.

Talos issued a second post on 20 September, listing a number of big technology companies that it said were targeted by the second-stage payload of the malware within CCleaner.

Listed were Cisco, Intel, Microsoft, HTC, Samsung, VMware,Akamai, Sony, Singtel, D-Link, O2, Vodafone, German gaming and gambling company Gauselmann, Linksys, Gmail, MSI, Dynamic Network Services and Epson.

Rosenberg said the code in the CCleaner malware had been compared against all the code samples in Intezer's database.

"...out of all the billions and billions of pieces of code (both trusted and malicious) contained in the Intezer Code Genome Database, we found this code in only these APTs (advanced persistent threats)," he wrote.

It was also worth noting that both sets of code were not using a standard method one would use to call an API, he added.

"The attacker used the simple technique of employing an array to hide a string from being in clear sight of those analysing the binary (although to those who are more experienced, it is obvious) and remain undetected from antivirus signatures," Rosenberg said.

"The author probably copied and pasted the code, which is what often happens to avoid duplication: rewriting the same code for the same functionality twice. Due to the uniqueness of the shared code, we strongly concluded that the code was written by the same attacker."

He concluded that the complexity and quality of the CCleaner attack "has led our team to conclude that it was most likely state-sponsored. Considering this new evidence, the malware can be attributed to the Axiom group due to both the nature of the attack itself and the specific code re-use throughout that our technology was able to uncover".

Avast has made no further comment about the compromise after its last blog post on 25 September.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments