Inside the Unnerving CCleaner Supply Chain Attack
Hackers initially got onto Piriform’s London networks by using stolen credentials to log into a TeamViewer remote desktop account on a developer PC. From there, the attackers moved laterally to a second computer, always working outside office hours when it was unlikely that people would be using the machines. The attackers installed malware called ShadowPad, sort of customizable malware platform that can be used for an assortment of attacks from DDoS to keylogging, on the compromised computers.
In this case, the attackers used the keylogger functionality and other analysis features to burrow deep into Piriform’s development and distribution systems. Then they waited.
Source: wired.com