Many were wondering why the attackers didn't roll out the second stage of their malware attack but it appears the hack focused on very specific targets. Research by Cisco's Talos security unit reveals many multinational tech giants were specifically targeted through delivery of a second-stage payload.
Rather than the general public, the malware targeted companies like Singtel, Samsung, HTC, Sony, VMware, Intel, Cisco, Vodafone, Linksys, Epson, MSI, Google, and Akamai. Cisco Talos concludes this attack was performed by a fairly sophisticated attacker, who designed a supply chain attack to compromise a vast number of victims in hopes to land some payloads on PCs at very specific target networks. This suggests the attack had economic espionage as motivation.
Interestingly the array specified contains Cisco's domain (cisco.com) along with other high-profile technology companies. This would suggest a very focused actor after valuable intellectual property.
These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.