The Russian military hackers known as Sandworm, responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history, have no reputation for discretion. But a French security agency now warns that hackers with tools and techniques linked to Sandworm have stealthily hacked targets in that country, exploiting an IT monitoring tool called Centreon – and appear to have escaped undetected for up to three years.
On Monday, French information security agency ANSSI issued a warning that hackers with links to Sandworm, a group within Russia’s military intelligence agency GRU, violated several French organizations. The agency describes these victims as “mainly” IT companies and, particularly, web hosting companies. Notably, ANSSI says the intrusion campaign dates from the end of 2017 and continued until 2020. In these breaches, hackers appear to have compromised the servers running Centreon, sold by the Paris-based eponymous company.
Although ANSSI says it was unable to identify how these servers were hacked, it found two different types of malware on them: a publicly available backdoor called PAS and another known as Exaramel, which the Slovak cybersecurity company ESET detected using Sandworm in intrusions. previous ones. Although hacker groups reuse each other’s malware – sometimes intentionally to mislead investigators – the French agency also claims to have seen overlapping command and control servers used in Centreon’s hacking campaign and in previous hacker incidents from Sandworm.
While it is far from clear what Sandworm hackers could have intended with the French hacking campaign for years, any intrusion by Sandworm raises the alarm among those who have seen the results of the group’s previous work. “Sandworm is related to destructive operations,” said Joe Slowik, a researcher at security firm DomainTools who tracked Sandworm’s activities for years, including an attack on the Ukrainian power grid where an earlier variant of Sandworm’s Exaramel backdoor appeared. “Even though there are no known game ends related to this campaign documented by the French authorities, the fact that it is taking place is worrying, because the ultimate goal of most Sandworm operations is to cause some noticeable disturbing effect. We must be paying attention.”
ANSSI did not identify the victims of the hacking campaign. But a page on Centreon’s website lists customers, including telecommunications providers Orange and OptiComm, IT consulting firm CGI, defense and aerospace company Thales, steel and mining company ArcelorMittal, Airbus, Air France KLM, logistics company Kuehne + Nagel, EDF nuclear power company, and the French Department of Justice. It is unclear whether any of these clients had servers running Centreon exposed to the Internet.
“In any case, it has not been proven at this stage that the identified vulnerability concerns a commercial version provided by Centreon during the period in question,” Centreon said in an e-mailed statement, adding that it regularly releases security updates. “We are not in a position to specify at this stage, just minutes after the publication of the ANSSI document, whether the vulnerabilities pointed out by ANSSI were the subject of one of these patches.” ANSSI declined to comment beyond the initial warning.
Some cybersecurity industry professionals immediately interpreted the ANSSI report as suggesting another attack on the software supply chain of the kind carried out against SolarWinds. In a vast hacking campaign unveiled at the end of last year, Russian hackers altered the company’s IT monitoring application and it used to penetrate an as yet unknown number of networks that includes at least half a dozen U.S. federal agencies.
But the ANSSI report does not mention a supply chain compromise, and DomainTools ‘Slowik says the intrusions appear to have been carried out simply by exploiting Internet-facing servers that run Centreon software inside victims’ networks. He points out that this is in line with another warning about Sandworm that the NSA published in May last year: The intelligence agency warned that Sandworm was hacking Internet-facing machines running the Exim email client, which runs on Linux servers. Since Centreon software runs on CentOS, which is also based on Linux, the two alerts point to similar behavior during the same period. “Both campaigns in parallel, over the same period of time, were being used to identify vulnerable external servers running Linux for initial access or movement on victims’ networks,” said Slowik. (In contrast to Sandworm, which has been widely identified as part of the GRU, the SolarWinds attacks have not yet been definitively linked to any specific intelligence agency, although security companies and the US intelligence community have attributed the hacking campaign to the government. Russian.)