As the US continues to map the damage to livestock “SolarWinds” hack France, which targets the government as well as industry, has announced that it has also suffered a major cyber attack in the supply chain. The news comes via a recent release technical report published by the National Agency for the Information Security Systems—Or simply ANSSI – the main agency of the French government for cyber security. Like the US, The French authorities have implied that Russia is probably involved.
According to ANSSI, a sophisticated hacker group successfully invaded Centreon Systems products, a French IT firm specializing in network and system monitoring used by many French government agencies, as well as some of the largest companies in the country (Air France, amongst other things). Centreon’s customer page shows that it cooperates with the French Department of Justice, Ecole Polytechnique, and local public agencies, as well as some of the largest in the country agri-food production enterprises.
ANSSI did not officially attribute the hack to any organization, but the agency says the techniques used are similar to those of the Russian military hacker. group “Sandworm” (also known as Unit 74455). The hacking campaign, which dates back at least to 2017, has enabled the hackers to breach the systems of a number of French organizations, although ANSSI does not want to name the victims or say how many are affected.
Although it is unclear from the report how the hackers initially compromised Centreon, it appears from the report that, once inside, they used webshells to advance their intrusion campaigns. Webshells are malicious scripts that allow a bad actor to hijack and control a website or system remotely.
G / O Media can get a commission
In the case of Centreon, the hackers used two different scripts, FIT and Exaramel. Both acted as backdoors that enabled the hacker to gain control of a website or system and control it remotely: ‘ANSSI discovered on compromised systems that a backdoor in the form of a webshell on multiple Centreon servers are exposed to the Internet. , ”Wrote the agency. When the scripts are used together, a hacker can have total control over a system.
The report also notes that the Examenarel back door is identical to the one used in another Sandworm campaign, and previously identified by the French security firm ESET:
[ESET] took note of the similarities between this back door and Industroyer used by the intruder set TeleBots, also known as Sandworm [7]. Although this tool can be easily reused, it was known that the Command and Control infrastructure by ANSSI is controlled by the intruder set. It is generally known that the intruder set Sandworm leads consequential intrusion campaigns before focusing on specific targets that match its strategic interests within the pool of victims. The campaign that ANSSI observes fits this behavior.
Sandworm has gained notoriety over the years for its criminal activities and its political interference. Last October, half a dozen Russian intelligence officials has been charged by the U.S. Department of Justice for their role in the hacker group’s crimes, including attempted interference in the 2017 French election, “nearly $ 1 billion in losses” due to attacks on ransomware on U.S. businesses, and attempts to cut the 2018 Olympics presented in Pyeongchang.
The scope and purpose of the Centreon campaign is not made clear in the ANSSI report, but the parallels between the SolarWinds supply chain in the US are clear. The conclusion? Third-party vendors pose major security risks to large bureaucracies and corporate bodies. The question of how to effectively patch that institutional vulnerability has yet to be answered satisfactorily.