The Russian army hackers known as Sandworm, who are responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history, do not have the reputation of discretion. But a French security agency now warns that hackers with tools and techniques linking it to Sandworm have slammed targets in that country using an IT monitoring tool called Centreon – and it apparently got away with it for as long as three years.
The French information security agency ANSSI on Monday issued an advisory warning that hackers with links to Sandworm, a group within the GRU’s Russian military intelligence agency, had violated several French organizations. The agency describes the victims as ‘mostly’ IT businesses and especially web hosting businesses. Strikingly, ANSSI says the intrusion campaign lasted until the end of 2017 and continued until 2020. In these offenses, it appears that the hackers have fraudsters operating Centreon, sold by the firm of the same name in Paris.
Although ANSSI says it has not yet been able to identify how the servers were hacked, it has found two different malware: one public backdoor called PAS, and another known as Exaramel, which the Slovak cyber security firm ESET noted uses Sandworm in previous intrusions. While burglary groups reuse each other’s malware – sometimes deliberately to mislead investigators – the French agency says it overlaps in the service and control servers used in the Centreon burglary campaign and previous incidents of Sandworm burglary.
While it is far from clear what Sandworm’s hackers could mean in the years-long French burglary campaign, any intrusion of Sandworm raises alarm among those who have seen the results of the group’s previous work. “Sandworm is associated with devastating openings,” said Joe Slowik, a researcher at security firm DomainTools, which has been monitoring Sandworm’s activities for years, including an attack on the Ukrainian power grid where an early variant of Sandworm’s Exaramel backdoor appeared . “Although there is no known endgame linked to this campaign documented by the French authorities, the fact that it is taking place is worrying, as the end goal of most Sandworm operations is to cause a noticeable disruptive effect. We need attention. give.”
ANSSI did not identify the victims of the burglary campaign. But a page on the Centreon website lists customers, including telecommunications providers Orange and OptiComm, IT consulting firm CGI, defense and aviation firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France KLM, logistics firm Kuehne + Nagel, the nuclear power company EDF, and the French Department of Justice. It is unclear whether any of the client servers have exposed Centreon to the internet.
“In any event, at this stage it has not been proven that the identified vulnerability relates to a commercial version provided by Centreon during the period in question,” Centreon said in an email, adding that it regularly releases security updates . “We are unable to determine at this stage a few minutes after the publication of the ANSSI document whether the vulnerabilities identified by the ANSSI were the subject of any of these spots.” ANSSI declined to comment further than the initial advice.
Some in the cybersecurity industry immediately interpreted the ANSSI report to suggest another attack on the software supply chain against SolarWinds. In an extensive hacking campaign unveiled late last year, Russian hackers changed the firm’s IT monitoring application and it had previously infiltrated an unknown number of networks that included at least half a dozen U.S. federal agencies.
But the ANSSI report does not mention a compromise in the supply chain, and Slowik of DomainTools says that the intrusion appears to have been done using only servers carrying the Centreon software on the Internet in the victims’ networks . He points out that this would be in line with another warning about Sandworm published by the NSA in May last year: The intelligence agency has warned that Sandworm is hacking Internet-targeted machines running the Exim email client, which runs on Linux servers running. Since Centreon’s software is used on CentOS, which is also based on Linux, the two advices indicate similar behavior during the same period. “Both of these campaigns are used simultaneously during the same period to identify vulnerable servers that are facing outside, randomly running Linux for initial access or movement within victim networks,” says Slowik. (Unlike Sandworm, which has been widely identified as part of the GRU, the SolarWinds attacks also do not yet have to be definitively linked to any specific intelligence agency, although security companies and the US intelligence community have attributed the hacking campaign to the Russian government..)