The Russian Army hackers known as Sandworm responsible for everything from Ukraine blackouts to NotPetya, the most destructive malware in history, have no reputation for discretion. But a French security agency is now warning that hackers with tools and techniques it links to Sandworm have secretly hacked targets in that country using an IT monitoring tool called Centreon – and it seems they got away with it unnoticed for three years. .
On Monday, French information security agency ANSSI released an advisory warning that hackers with links to Sandworm, a group within Russia’s military intelligence agency GRU, had violated several French organizations. The agency describes those victims as “mainly” IT companies and in particular web hosting companies. Remarkably, ANSSI says the burglary campaign dates back to late 2017 and lasted until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the Parisian company of the same name.
While ANSSI says it was unable to find out how those servers were hacked, it found two different types of malware on them: a publicly available backdoor called PAS, and another known as Exaramel, which the Slovakian cybersecurity firm ESET Sandworm in previous breaches. Although hacker groups reuse each other’s malware – sometimes deliberately to mislead researchers – the French agency also says there are overlaps in the command and control servers used in the Centreon hacking campaign and previous Sandworm hacking incidents.
While it’s far from clear what the Sandworm hackers would have meant in the years-long French hacking campaign, any Sandworm break-in raises the alarm among those who have seen the results of the group’s previous work. “Sandworm has been linked to destructive operations,” said Joe Slowik, an investigator for security firm DomainTools who has been tracking Sandworm’s activities for years, including an attack on the Ukrainian power grid where an early variant of Sandworm’s Exaramel backdoor appeared. While there is no known endgame linked to this campaign, documented by the French authorities, the fact that it is taking place is alarming as the ultimate goal of most Sandworm surgeries is to produce a noticeable disruptive effect. . “
ANSSI has not identified the victims of the hacking campaign. But a page of Centreon’s website mentions customers including telecom providers Orange and OptiComm, IT consultancy CGI, defense and aerospace company Thales, steel and mining company ArcelorMittal, Airbus, Air France KLM, logistics company Kuehne + Nagel, nuclear power company EDF and the French Ministry of Justice. It is unclear if any of those clients had servers with Centreon exposed to the Internet.
“In any case, it has not been proven at this stage that the identified vulnerability relates to a commercial version provided by Centreon during the relevant period,” Centreon said in an emailed statement, adding that it regularly releases security updates. “We cannot specify at this stage, a few minutes after the publication of the ANSSI document, whether the vulnerabilities identified by ANSSI were the subject of any of these patches.” ANSSI declined to comment outside of its original advice.
Some in the cybersecurity industry have immediately interpreted the ANSSI report as another attack on the software supply chain carried out against SolarWinds. In an extensive hacking campaign revealed late last year, Russian hackers transformed that company’s IT monitoring application and penetrated an as-yet-unknown number of networks, including at least half a dozen US federal agencies, earlier.
But ANSSI’s report makes no mention of a supply chain compromise, and DomainTools ‘Slowik says the breaches appear to have instead been carried out simply by using web-facing servers running Centreon’s software within the victims’ networks. He points out that this would be in line with another warning about Sandworm published by the NSA in May last year: Intelligence warned Sandworm was hacking into Internet-facing machines running the Exim email client, which runs on Linux. servers. Since Centreon’s software runs on CentOS, which is also based on Linux, the two pieces of advice indicate similar behavior over the same period. “Both campaigns in parallel, during part of the same period, were used to identify remote-facing, vulnerable servers that happened to be running Linux for initial access or relocation within victims’ networks,” said Slowik. (Unlike Sandworm, which has been widely identified as part of the GRU, the SolarWinds attacks have yet to be definitively linked to a specific intelligence agency, although security firms and the US intelligence community have attributed the hacking campaign to the Russian government.)