The malware attack on Windows utility CCleaner, which was announced earlier this week wasn’t just a simple attack and is much worse than it first appeared. In the days since the attack, researchers have been poring through data and have found evidence that the attackers were targeting some of the world’s most powerful tech companies.

New blog posts from Cisco’s Talos research group and Avast detail the findings. At the time malware outbreak was stopped, the attackers were targeting a string of internal domains with a second-stage payload.

The list of domains, published by Talos, reveals a number of major tech companies. Targeted domains include internal domain for Windows developers, internal Gmail domain for Google employees, while the other targets include Samsung, Sony, Intel, and Akamai.

Avast researchers wrote that, “This was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were.” Researchers now estimate only 700,000 computers were exposed by the attack, down from earlier estimates of more than 2 million.

On the other hand, to determine the group behind the hack, Kaspersky researchers have noted significant overlapping code between the CCleaner attack and previous attacks by the Axiom threat group, which has been tied to Chinese intelligence services before.