Russian army hackers known as Sandworm, responsible for everything power outages in Ukraine at NotPetya, the most destructive malware in history, do not have a reputation for being discreet. But a French security agency is now warning that hackers with Sandworm-related tools and techniques have stealthily hacked into targets in that country using a computer surveillance tool called Centreon – and appear to have gotten away with being undetected. during three years.
On Monday, the French information security agency ANSSI issued a warning that hackers with ties to Sandworm, a group of the Russian military intelligence agency GRU, had raped several French organizations. The agency describes these victims as “primarily” IT companies and in particular web hosting companies. Remarkably, the ANSSI claims that the intrusion campaign dates back to the end of 2017 and continued until 2020. In these violations, the hackers appear to have compromised servers running Centreon, sold by the Paris-based firm of the same name. .
Although ANSSI claims it was unable to identify how these servers were hacked, it found two types of malware on them: a publicly accessible backdoor called PAS, and another known as ‘Exaramel, who Slovak cybersecurity firm ESET spotted Sandworm in previous intrusions. As hacking groups reuse each other’s malware – sometimes intentionally to deceive investigators – the French agency also claims to have seen an overlap in command and control servers used in the Centreon hacking campaign and previous incidents. hack Sandworm.
While it is far from clear what the Sandworm hackers might have had during the French hacking campaign that lasted for years, any intrusion by Sandworm raises alarm among those who have seen the results of the previous work of the group. “Sandworm is linked to destructive operations,” says Joe Slowik, researcher for security firm DomainTools who has followed Sandworm’s activities for years, including an attack on the Ukrainian power grid or an early variant of the Exaramel backdoor of Sandworm appeared. “Even though there is no known endgame linked to this campaign documented by French authorities, the fact that it is taking place is of concern, as the end goal of most Sandworm operations is to cause an effect. noticeable disruptor. We need to be careful. “
ANSSI has not identified the victims of the hacking campaign. But a page from the Centreon website lists customers including telecommunications providers Orange and OptiComm, IT consultancy firm CGI, defense and aerospace firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France KLM, logistics firm Kuehne + Nagel, firm of nuclear energy EDF and the French Ministry of Justice. It is not known if any of these clients had servers running Centreon exposed to the internet.
“It is in no way proven at this stage that the identified vulnerability concerns a commercial version provided by Centreon over the period in question,” Centreon said in an email statement, adding that it regularly publishes updates. of security. “We are not able to specify at this stage, a few minutes after the publication of the ANSSI document, whether the vulnerabilities reported by ANSSI have been the subject of one of these fixes. ANSSI declined to comment beyond the initial opinion.
Some players in the cybersecurity sector immediately interpreted the ANSSI report to suggest another software supply chain attack of the kind made against SolarWinds. In a massive hacking campaign revealed at the end of last year, Russian hackers modified the company’s computer surveillance application and it used to penetrate an as yet unknown number of networks comprising at least half a – dozen US federal agencies.
But the ANSSI report makes no mention of supply chain compromise, and Slowik of DomainTools says the intrusions instead appear to have been carried out simply by exploiting internet-connected servers running Centreon software inside networks. the victims. He points out that this would correspond to another warning regarding Sandworm that the NSA issued in May of last year: The intelligence agency warned that Sandworm was hacking of machines connected to the Internet running the Exim mail client, which runs on Linux servers. Since Centreon’s software runs on CentOS, which is also Linux-based, both reviews indicate similar behavior during the same period. “These two campaigns in parallel, during part of the same period of time, were used to identify vulnerable out-facing servers that were running Linux for initial access or movement within the victim networks,” explains Slowik. . (Unlike Sandworm, which has been widely identified as part of the GRU, the SolarWinds attacks have not yet been definitively linked to a specific intelligence agency, although security firms and the U.S. intelligence community have attributed the Russian government hacking campaign.)