While the US continues to trace the damage from the sweep Hack “SolarWinds” which was addressed to both the government and industry, France has announced that it has also suffered a major cyber attack on the supply chain. The news comes via a recent release technical report published by National Information Systems Security Agency—Or simply ANSSI – the main cybersecurity agency of the French government. Like the US, The French authorities have indicated that Russia is probably involved.
According to ANSSI, a sophisticated group of hackers has successfully penetrated the Centreon Systems products, a French IT company specializing in monitoring networks and systems used by many French government agencies, as well as some of the largest companies in the country (Air France, among others). Centreon customer page shows that it is associated with the French Department of Justice, the Ecole Polytechnique and regional public agencies, as well as some of the largest in the country agri-food production companies.
Although ANSSI did not officially attribute the hacking to any organization, the agency says the techniques used are similar to those of the Russian military pirate. group “Sandworm” (also known as Unit 74455). The intrusion campaign, which dates back at least to 2017, allowed hackers to breach the systems of some French organizations, although the ANSSI has refused to name the victims or say how many were affected.
While it’s not clear from the report how hackers initially engaged Centreon, the report shows that, once inside, they used webshells to promote their intrusion campaigns. Webshells are malicious scripts that allow a bad actor to remotely hijack a website or system and control it.
G / O Media may receive a commission
In the case of Centreon, hackers used two different scripts, PAS and Exaramel. Both acted as backdoors that could allow the hacker to gain control of a website or system and control it remotely: “In compromised systems, ANSSI discovered the presence of a backdoor in the form of webshell crash on several Centreon servers exposed to the Internet, “the agency wrote. When used together, scripts allowed a hacker to fully control a compromised system.
The report also notes that Examarel’s back door is identical to the one used in a different Sandworm campaign and had been previously identified by French security firm ESET:
[ESET] noted the similarities between this back door and Industroyer that used the TeleBots intrusion set, also known as Sandworm [7]. Even though this tool can be easily reused, ANSSI knew that the command and control infrastructure was controlled by the set of intrusions. Broadly speaking, the Sandworm intrusion set is known to lead the consequent intrusion campaigns before focusing on specific targets that fit its strategic interests within the victim set. The campaign observed by ANSSI adapts to this behavior.
Sandworm has gained notoriety over the years, both for its criminal activity and for its political interference. Last October, half a dozen Russian intelligentsia they were accused by the U.S. Department of Justice for its role in the crimes of the hacker group, including the attempted interference in the 2017 French election, “losses of nearly a billion dollars” for ransomware attacks on northern companies -Americans and attempts to hack the 2018 Olympics hosted in Pyeongchang.
While the scope and purpose of the “Centreon” campaign is not made clear in the ANSSI report, the parallels between this and the cut in SolarWinds ’supply chain in the United States are clear. The conclusion? Third-party vendors pose enormous security risks to large bureaucracies and corporate bodies. Meanwhile, the question of how to effectively correct this institutional vulnerability has not yet been satisfactorily resolved.