Typical of intelligence operations. So who was it? I wouldn't actually put it past the NSA or CIA to do this to be honest, the intelligence boon would be huge. But they sure do love their watering holes from the looks of it. They're goal doesn't appear to have been malicious damage, rather to compromise internal structures of specific firms.. You know, like how the CIA worked hard to compromise Cisco through the supply chain, etc...In the case of CCleaner and as far as I know, the dynamic of the attack has not yet been fully made known. Clearly the fact that the system of distribution of the updates may have been compromised in this way, reveals chilling security gaps.
This is the perfect case of "watering hole attack": you aim not your final target, but one of its suppliers.