In September, security researchers at Cisco Talos and Morphisec made a worst nightmare-type disclosure: the ubiquitous computer cleanup tool CCleaner had been compromised by hackers for more than a month. The software updates users were downloading from CCleaner owner Avast—a security company itself—had been tainted with a malware backdoor. The incident exposed millions of computers and reinforced the threat of so-called digital supply chain attacks, situations where trusted, widely distributed software is actually infected by malicious code.

At the RSA security conference in San Francisco on Tuesday, Avast executive vice president and chief technology officer Ondrej Vlcek walked through a post-mortem of the attack, which ultimately led to 2.27 million downloads of the corrupt CCleaner version.

On March 11 of last year, attackers compromised the systems Piriform, the company that created CCleaner. That June, Avast acquired Piriform. By September, it knew it had a massive security crisis on its hands. Vlcek says that Avast's quick response and existing goodwill toward CCleaner—which has a sometimes cultish online following—has allowed Avast to learn from the incident and better protect its users. But the specter of supply chain attacks is difficult to shake.

"This thing was a bit, shall we say, black. It was an unexpected surprise gift we got as part of the acquisition," Vlcek told WIRED ahead of his talk at RSA. "As a threat research organization we do analysis like this on a daily basis, it's right in our core competency, so it was sort of ironic to suddenly be in the business of forensically analyzing our own attack."

Hackers initially got onto Piriform’s London networks by using stolen credentials to log into a TeamViewer remote desktop account on a developer PC. From there, the attackers moved laterally to a second computer, always working outside office hours when it was unlikely that people would be using the machines. The attackers installed malware called ShadowPad, sort of customizable malware platform that can be used for an assortment of attacks from DDoS to keylogging, on the compromised computers. In this case, the attackers used the keylogger functionality and other analysis features to burrow deep into Piriform's development and distribution systems. Then they waited.

'It was sort of ironic to suddenly be in the business of forensically analyzing our own attack.' Ondrej Vlcek, Avast

Months later on August 2, just a few weeks after Avast took over Piriform, the attackers began contaminating CCleaner downloads. Though Avast, working with the FBI, was able to shut down the attackers' command and control server within three days of discovering the situation, the impact was extensive. The hackers were apparently launching a targeted attack, looking for a few needles in the massive haystack of 2.27 million "successful" malicious downloads. Of those, about 1.65 million copies of the CCleaner malware phoned home to the attackers, and they only targeted 40 with a second stage of the attack: installing ShadowPad. All of these were technology and IT enterprise targets (most CCleaner users are individuals and home users), and the attackers were able to infiltrate 11 companies through the 40 installs they picked out.

"It’s hard to tell whether the number 40 made the attackers happy or did not make them happy, but I think it was perceived as a pretty successful operation," Vlcek says. "The investment these guys had to make to infiltrate 11 companies I don’t think was very high."

During and after the remediation, Avast tracked ShadowPad and did forensic analysis on the Piriform computers compromised by the attackers. Avast found two samples of the malware toolkit in VirusTotal, one that was designed to communicate with the server of a South Korean university and one that targeted a Russian organization that is either directly related to a Russian finance ministry agency or indirectly works on distributing grants and subsidies. The latter included data on financial transactions and a government contract that Avast was able to crosscheck since it is public record.

'The investment these guys had to make to infiltrate 11 companies I don’t think was very high.' Ondrej Vlcek

ShadowPad has been used in targeted attacks since 2014, and evidence collected by both Avast and Kaspersky Lab in prior research indicates that its creators are Chinese-speaking. The malware has evolved, and the CCleaner attackers used both older and newer versions as they infiltrated Piriform and the 40 chosen machines infected with the malicious CCleaner updates. Avast also observed that ShadowPad, which in newer versions has that modular, customizable quality, was formerly all bundled into one program.