Hackers affiliated with one of Russia's preeminent hacking groups, Sandworm, exploited an IT monitoring company in France for years, an intrusion campaign that granted the group access to internal networks of French information technology providers and web hosting providers.
Agence Nationale de la Sécurité des Systèmes d'Information, or ANSSI, France’s main cybersecurity agency, disclosed the campaign in a report on Monday, outlining tactics and procedures used by Sandworm and recommendations for organizations to mitigate similar activity.
As part of the campaign, ANSSI claims attackers targeted systems running Centreon - a French IT monitoring platform - over four years; the first attacks occurred in late 2017, the last attacks occurred in 2020.
To maintain access, the hackers used two backdoors, one via the P.A.S. webshell (ANSSI points out it was version 3.1.4) and another named Exaramel. Exaramel has previously been dissected by ESET, whose researchers called it a Telebots (Sandworm) backdoor and linked it to Industroyer, the malware behind the Ukraine blackout of 2016. It’s unclear what the initial attack vector was; in its write up, ANSSI claims the webshell was dropped on several Centreon servers exposed to the internet.
ANSSI linked Sandworm with the intrusion set - the tools, tactics, technics, procedures and characteristics used by a threat actor - remarking that it bears several similarities with previous Sandworm campaigns.
In its wake, ANSSI is encouraging organizations to update applications like Centreon as soon as vulnerabilities are public and patches are issued. It’s also recommending organizations, if they don't already, to export web server logs and store them for a year and not to expose monitoring systems to the internet.
The case bears some hallmarks from the massive SolarWInds hack in the US, disclosed in December, an incident in which the scope still isn't yet known. Like SolarWinds, the Centreon attack also implicates Russia and also appears to involve the compromise of IT management/monitoring software.
The French firm took umbrage with ANSSI's claims on Tuesday, denying that any of its clients have been affected by the attack. In an Agence-France Press report on Tuesday, Centron insists that an old open-source version of its software from before 2015 was affected and that commercial users are not affected by the campaign outlined by ANSSI.
"Commercial users are not affected," a spokesperson for the group told the publication. "For users of open-source versions, they should check that the version of the software is after 2015."
Centreon also said Tuesday that it believes there were about 200,000 machines using open source software based on its IT monitoring infrastructure. The firm has 720 commercial clients including some larger companies in the engineering, technology, and information technology space.
It’s unclear exactly which entities may have been impacted by the campaign. ANSSI’s report is somewhat thin when it comes to details about victims, stating that the campaign led to "breach of several French entities" and that “information technology providers, especially web hosting providers” were affected.
Sandworm, a group connected to Russia's GRU military intelligence agency and behind the destructive NotPetya malware attack in 2017, was charged by the United States Department of Justice last year.
Unlike NotPetya and other attacks affiliated with Sandworm – the DOJ blamed them for a 2018 attack on the Winter Olympic Games, the 2015 and 2016 blackouts in Ukraine, and an incident involving the 2017 French election – the campaign ANSSI outlined on Monday sounds less disruptive and more stealthy, akin to reconnaissance.
While the effort could simply be that - Sandworm carrying out intelligence gathering - the fact that it managed to go undetected for three years is worth paying attention to.
