The Russian army hackers known as Sandworm, responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history, have no reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT control tool called Centreon, and it appears they got away with it. undetected for three years.
On Monday, French intelligence agency ANSSI issued a warning that hackers with links to Sandworm, a group of Russia’s GRU military intelligence agency, had breached several French organizations. The agency describes these victims as “primarily” IT companies and, in particular, web hosting companies. Surprisingly, ANSSI says the intrusion campaign dates back to late 2017 and continued through 2020. In these breaches, hackers appear to have servers committed to Centreon, sold by the firm of the same name based in Paris.
Although ANSSI says it has not been able to identify how those servers were hacked, it found two different malicious programs: an available public gate called PAS and another known as Exaramel, which the Slovak cybersecurity firm ESET has seen Sandworm using previous intrusions. While hacking groups reuse each other (sometimes intentionally to deceive investigators), the French agency also claims to see the overlap of command and control servers used in the Centreon piracy campaign and in previous incidents of hacking. Sandworm piracy.
While it’s not clear what Sandworm hackers might have intended in the French piracy campaign for years, any intrusion by Sandworm raises alarms among those who have seen the results of the group’s past work. “Sandworm is related to destructive operations,” says Joe Slowik, a researcher at security firm DomainTools who has been monitoring Sandworm’s activities for years, including an attack on the Ukrainian power grid, where a first variant of the door of the behind Sandworm Exaramel. “Although the French authorities do not document any end of the game related to this campaign, the fact that it is occurring is worrying, because the ultimate goal of most Sandworm operations is to cause some noticeable detrimental effect. We should d ‘be attentive’.
The ANSSI did not identify the victims of the hacking campaign. But a page on Centreon’s website lists customers, including telecommunications providers Orange and OptiComm, computer consultancy CGI, defense and aerospace company Thales, steel and mining ArcelorMittal, Airbus, Air France KLM, the firm logistics Kuehne + Nagel, the nuclear power company EDF and the French Department of Justice. It is unclear if any of these clients had servers running Centreon exposed on the Internet.
“In any case, it has not been demonstrated at this stage that the vulnerability identified relates to a commercial version provided by Centreon during the period in question,” Centreon said in an emailed statement, adding that it regularly publishes updates from Centreon. security. “We are not in a position to specify at this stage, a few minutes after the publication of the ANSSI document, whether the vulnerabilities identified by ANSSI have been the subject of any of these patches.” ANSSI declined to comment beyond the initial advice.
Some in the cybersecurity industry immediately interpreted the ANSSI report to suggest another attack on the software supply chain of the type carried out against SolarWinds. In an extensive hacking campaign revealed late last year, Russian hackers modified the company’s IT control application and used to penetrate an as-yet-unknown number of networks that include at least half a dozen U.S. federal agencies.
But the ANSSI report does not mention a supply chain commitment, and DomainTools’ Slowik says the intrusions appear to have been carried out simply by exploiting Internet-oriented servers running Centreon’s software on the networks of the victims. He points out that this would be in line with another warning about Sandworm that the NSA issued in May last year: the intelligence agency warned that Sandworm was hacking Internet-oriented machines running the email client. Exim, which runs on Linux servers. Since Centreon software works with CentOS, which is also based on Linux, the two tips point to similar behavior over the same period of time. “Both campaigns in parallel, over the same period of time, were being used to identify vulnerable servers that were facing externally and that were running Linux for initial access or movement to victim networks,” says Slowik . (In contrast to Sandworm, which has been widely identified as part of the GRU, SolarWinds attacks have not yet been definitively linked to any specific intelligence agency, although security companies and the intelligence community U.S. agencies have attributed the piracy campaign to the Russian government.)