Researchers: CCleaner attack aimed at major tech companies

Hackers set their sights on companies like Google, Microsoft and Samsung, infecting potentially hundreds of computers with malicious software.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

CCleaner is downloaded millions of times a week for free.

Sergei Konkov

At first it seemed like the hacking campaign against users of popular software CCleaner hadn't been able to do much damage. Well, not so fast.

Researchers now say the hackers were able to install a second piece of malicious software on computers at major tech companies around the world. The companies targeted include heavyweights such as Microsoft, Google, Samsung, Sony and Intel, according to the Talos threat intelligence team, a group of cybersecurity experts at Cisco. Also on the list of targeted companies? Cisco itself.

The targets represent many of the most important companies responsible for making the internet work, making the hacking attack much more serious.

News of the hacking attack broke Monday, when Talos and Avast each announced that hackers had inserted malicious software into legitimate updates of CCleaner, a product that clears out unneeded software applications and cookies from PCs to make them run more efficiently. Even though 2.27 million computers were potentially exposed to the software, both Avast and Talos said Monday it seemed the attackers hadn't used the malware to do any damage.

Now it seems that first wave of malware was just the beginning, opening a secret back door into all those computers. On a select set of valuable computers at major tech companies, the hackers used the back door to install even more malicious software.

Talos researchers don't know yet what the hackers hoped to do once they dug further into computers at these companies, but it's clear there was potential to do damage. In short, these hackers meant business.

"This would suggest a very focused actor after valuable intellectual property," the Talos researchers wrote in their blog post.

The Talos team published its findings in a blog post Wednesday evening. Cybersecurity firm Avast, which in July purchased the company that provides CCleaner, said in a blog post Thursday it had come to a similar conclusion. According to Avast's analysis, it knows for sure that 18 computers at eight different organizations were hit with the second wave of malicious software. What's more, because it only has a small slice of data to examine, Avast said it thinks the total number of affected computers is probably "at least in the order of hundreds."

However, Avast declined to name any of the companies targeted. It's unclear if any or all of the companies named in the Talos blog post were actually among the eight companies Avast says were hit by the second wave of malicious software.

Google and Intel declined to comment, and representatives from Sony and Samsung didn't respond to requests for comment.

"It's expected that security researchers will perform forensic analysis of new malware, and it is not a surprise that malware sometimes targets specific companies," Microsoft said in a statement.

Talos researchers also named D-Link, Linksys, HTC and Akamai as targets of the hackers. Representatives of D-Link and Linksys didn't respond to a request for comment. 

"A small number of our client systems downloaded the malicious software from Avast," Akamai spokesman Robert Morton said in an email. "We are in the process of examining these systems, but we have seen no evidence to date of the secondary payload or C2 channel on any of the affected systems."

An HTC spokesman said a web domain listed by the researchers, HTCgroup.corp, was not registered to the company and that HTC doesn't go by the name HTC group.

"These are all critical infrastructure vendors here," said Tod Beardsley, a cybersecurity forensics expert at Rapid7, who was not involved in the research. The list of targets includes, he said, "all the operating systems and routers that anyone cares about."

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.