That target list presents a new wrinkle in the unfolding analysis of the CCleaner attack, one that shifts it from what might have otherwise been a run-of-the-mill mass cybercrime scheme to a potentially state-sponsored spying operation that cast a wide net, and then filtered it for specific tech-industry victims. Cisco and security firm Kaspersky have both pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015.
Cisco says it obtained a digital copy of the hackers' command-and-control server from an unnamed source involved in the CCleaner investigation. The server contained a database of every backdoored computer that had "phoned home" to the hackers' machine between September 12 and 16. That included over 700,000 PCs, just as Avast has said in the days since it first revealed its CCleaner debacle. (Initially the company put the number much higher, at 2.27 million.) But the database also showed a list of specific domains onto which the hackers sought to install their secondary malware payload, as well as which ones received that second infection. The secondary payload targeted 18 companies in all, but Williams notes that some companies had more than one computer compromised, and some had none.