As the US continues to map the damage from the sweeping “SolarWinds” hack France, which has targeted both government and business, has announced that it has also faced a major cyber attack in its supply chain. The news comes via a recently released technical report published by the National Agency for the Security of Information Systems– or just ANSSI – the main cybersecurity agency of the French government. Just like the US.The French authorities have suggested that Russia is likely involved.
According to ANSSI, an advanced hacker group has successfully made it Centreon Systems products, a French IT company specializing in network and system surveillance that is used by many French government agencies, as well as some of the country’s largest companies (Air France, among other things). Centreon’s customer page shows that it cooperates with the French Ministry of Justice, Ecole Polytechnique and regional public institutions, as well as some of the largest in the country producers of agri-food products
Although ANSSI did not officially attribute the hack to any organization, the agency says the techniques used show similarities to those of the Russian military hacker group “Sandworm” (also known as Unit 74455). The burglary campaign, which dates back to at least 2017, allowed the hackers to breach the systems of a number of French organizations, although ANSSI has refused to name the victims or say how many were affected.
While the report is not clear how the hackers initially compromised Centreon, the report shows that, once inside, they used web shells to continue their intrusion campaigns. Web shells are malicious scripts that a bad actor can use to hijack and manage a website or system remotely.
G / O Media can receive a commission
In the case of Centreon, the hackers used two different scripts, PAS and Exaramel. Both acted as back doors that could allow the hacker to take control of a website or system and operate it remotely: “On compromised systems, ANSSI discovered the presence of a web shell backdoor on several Centreon servers that were exposed to the internet. , ”Wrote the desk. When used together, the scripts gave a hacker complete control over a compromised system.
The report also notes that Examarel’s back door is identical to the one used in another Sandworm campaign and previously identified by French security firm ESET:
[ESET] noted the similarities between this back door and Industroyer used by the TeleBots break-in kit, also known as Sandworm [7]Even if this tool could be easily reused, ANSSI knew the command and control infrastructure was managed by the intrusion set. In general, the Sandworm burglar set is known to lead consistent burglary campaigns before targeting specific targets that fit its strategic interests within the victim pool. The campaign that ANSSI observes fits this behavior.
Sandworm has gained notoriety over the years, both for its criminal activities and political interference. Half a dozen Russian intelligence officers last October were charged by the US Department of Justice for their role in the hacker group’s crimes, including attempts to interfere in the 2017 French election, “nearly $ 1 billion in losses” from ransomware attacks on US companies and hack the 2018 Olympics hosted in Pyeongchang.
While the scope and purpose of the “Centreon” campaign are not made clear in the ANSSI report, the parallels between the campaign and the SolarWinds supply chain hack in the US are clear. It comes down to? External suppliers pose enormous security risks to large bureaucracies and companies. The question of how we can effectively patch this institutional vulnerability has yet to be answered satisfactorily.