The French service cyber security reported that a group of Russian military hackers, known as the Sandworms, had been behind a three-year operation in which they breached the internal networks of numerous French entities using the software Centreon IT monitoring. The attacks detailed in a technical report published on 15 February by the Agence Nationale de la Sécurité des Systèmes d'Information, also known as ANSSI, which is the main cybersecurity agency in France.
According to ANSSI, the attacks carried out by the Russian military hacker group mainly affected IT providers and especially providers Web Hosting. He added that the first victim of the group seems to have been "hit" at the end of 2017, while the campaign lasted until 2020.
The victim access point was connected to Centreon, an IT resource monitoring platform developed by the French company CENTERON and a product similar in functionality to the platform Solarwinds 'Orion.
ANSSI reports that the Russian military hacker group has targeted Centreon systems connected to the Internet. However, the agency is not yet able to determine whether the attacks took advantage of one vulnerability in Centreon software or if the attackers "guessed" passwords from administrator accounts.
According to ZDNet, the attackers, in case of a successful invasion, installed a version of PAS web shell and the Exaramel backdoor trojan. The combination of these two executives malware allowed hackers to take full control of a compromised system and its adjoining network.
As mentioned earlier, ANSSI linked these attacks to the Sandworm APT team.
In October 2020, the US Department of Justice (DoJ) formally indicted six Russian military officials for their involvement in cyber-attacks orchestrated by the group, formally linking the Sandworm APT to Russian Central Intelligence Agency Unit 74455 (GR). Department of Military Intelligence of the Russian Army.
The cyber-attacks carried out in the past by this group included the interruptions of the operation of the energy network throughout Ukraine in 2015 and 2016, the "outbreak" of NotPetya ransomware in 2017, the attacks on the opening ceremony of the PyeongChang Winter Olympics in 2018 and a massive deface Georgia websites in 2019.
The DoJ also linked the group to attacks on France, including campaigns. spear-phishing and related hacking and leak attempts against the political party "La République En Marche" of French President Macron - a company also referred to as Macron leaks.
With all of the above in mind, ANSSI recommends that both French and international organizations inspect Centreon's facilities for the presence of two malware executives - PAS and Exaramel - which indicate that companies have been breached by Sandworm attacks in recent years.
Finally, it is worth noting that in the case of SolarWinds, Centreon systems-related attacks appear to be an occasional exploitation of Internet-exposed systems rather than a supply chain attack, as several security experts at Twitter.