As the US continues to map the damage from the scan “SolarWinds” Hack which targeted both the government and the industry, France announced that it has also suffered a major cyber attack on the supply chain. The news comes through a newly released technical report published by Agence Nationale de la securité des systèmes d’information—Or simply ANSSI – the French government’s top cyber security agency. How the USA, French authorities have hinted that Russia is probably involved.
According to ANSSI, a sophisticated group of hackers managed to penetrate the Centreon Systems products, a French IT company specializing in network and system monitoring that is used by many French government agencies, as well as some of the largest companies in the country (French air, among others). Centreon customer page shows that it has partnered with the French Department of Justice, Ecole Polytechnique and regional public agencies, as well as some of the biggest agri-food production companies.
Although ANSSI has not officially attributed the hack to any organization, the agency says the techniques used have similarities to those of the Russian military hacker. “Sandworm” group (also known as Unit 74455). The intrusion campaign, which dates back to at least 2017, allowed hackers to breach the systems of a number of French organizations, although ANSSI declined to name the victims or say how many were affected.
While it is unclear in the report how hackers initially compromised Centreon, the report shows that, once inside, they used webshells to promote their intrusion campaigns. Webshells are malicious scripts that allow an attacker to remotely hijack a website or system and control it.
G / O Media can receive a commission
In Centreon’s case, hackers used two different scripts, PAS and Exaramel. Both acted as a backdoor that could allow the hacker to gain control of a website or system and control it remotely: “In compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell installed on several Centreon servers exposed to the internet” , Wrote the agency. When used together, the scripts gave a hacker complete control over the compromised system.
The report also notes that Examarel’s back door is identical to the one used in a campaign other than Sandworm and that had previously been identified by the French security company ESET:
[ESET] noted the similarities between this backdoor and the Industroyer that was used by the TeleBots intrusion suite, also known as Sandworm [7]. Even though this tool can be easily reused, the Command and Control infrastructure was known to ANSSI for being controlled by the intrusion set. Generally speaking, the Sandworm intrusion set is known to lead consequent intrusion campaigns before focusing on specific targets that fit its strategic interests within the group of victims. The campaign observed by ANSSI fits this behavior.
Sandworm has gained notoriety over the years for both its criminal activity and political intrusion. Last October, half a dozen Russian intelligence officers were indicted by the US Department of Justice for his role in the hacker group’s crimes, including attempted interference in the 2017 French elections, “almost a billion dollars in losses” from ransomware attacks on American companies and attempts to hack the 2018 olympic games hosted in Pyeongchang.
While the scope and purpose of the “Centreon” campaign is not clear in the ANSSI report, the parallels between it and the SolarWinds supply chain hack in the U.S. are clear. The end result? Third-party vendors pose immense security risks for large bureaucracies and corporations. The question of how to effectively correct this institutional vulnerability, however, has not yet been answered satisfactorily.