Things we know...

  • Securing your network environment is one of today’s most massive challenges in the business world.
  • Attackers don’t discriminate based on business size.
  • Attackers will take the path of least resistance.
  • Supply chain attacks are incredibly effective, so attackers will continue to use this vector to gain access to more lucrative targets.

Things we think we know...

The good news is that you can purchase tools and services from a variety of vendors to help you defend your network against would-be attackers.

For example, you could purchase CCleaner, a tool designed to help clean up unwanted files and invalid Windows system registry entries.

Just install it, and let it do its work – and you’re well on the way to being better protected, or at the very least, helping your systems perform more efficiently, which will save your organization money over the long-term.

But not so fast...

Things we learned...

Many of us remember last September when researchers discovered that the CCleaner had been hacked, impacting over 2.2 million users.

While impacted organizations were, ironically enough, cleaning up their environments after learning of the hack, researchers were digging deeper into the attack itself.

Who was responsible for the attack anyway?

Researchers discovered ShadowPad, a Chinese-built hacking tool, and further analysis indicated APT17 (aka AxiomGroup, Deputy Dog) was the group behind the initial attack.

APT17 had targeted firms in the technology sector as far back as 2009, and the most interesting findings came out of NTT Security research into China’s Five Year Plan (FYP).

Every five years (makes sense, right?), China publishes a new FYP, informing the world of what the focus of its nation will be over the next half decade.

The last Chinese FYP, published in 2016, clearly identified advanced technology as a key focus of the 2016-2020 timeframe…

…which is why this next finding makes sense.

Beyond the 2.2 million users impacted by the CCleaner hack, a second-stage malware payload was delivered to very specific targets. Researchers believe this second-stage malware was intended to maintain persistence on the infected machines.

These targets were far from random and, in fact, the C2 servers had been configured to deliver the additional malware payload specifically to technology firms. This may not be a complete surprise if you saw the results from NTT Security’s 2018 GTIR, which showed that the technology sector experienced about a 25% increase in attack volume since 2016.

Let’s recap...

  • CCleaner tool gets hacked.
  • The hack includes a follow-on malware payload intended specifically for technology firms.
  • China had recently notified the world they intended to make great strides in advancing the technological expertise.
  • China has a history of hacking and stealing intellectual property from industries mentioned in the China FYP.

This is no coincidence.

Things we can do... 

The first thing we can do is accept the fact that nation-state-sponsored hacking is not conducted in a vacuum. There are forces at work that even the best data researchers find difficult to articulate.

Secondly, we can all take an active role in securing our valuable data. From your personal mobile device (which should be encrypted, by the way), to your data center – taking responsibility for securing the data hackers are most likely to want to access is both a personal and corporate decision.

Simply put, our organizations are at war with hackers, cybercriminals, and nation-state sponsored threats who would seek to do us harm or leverage our intellectual property for their own gain. The best advice I can give is not even my own – it is that of Sun Tzu, the ancient war philosopher:

“If you know the enemy and know yourself, you need not fear a hundred battles.”

Note: If you’d like to learn a bit more about the CCleaner hack and NTT Security researchers’ findings, check out the March GTIC Monthly Threat Report. The entire report is about a 7-minute read.