As the US continues to deal with the damage caused by the sweep SolarWinds Hack which targeted the government and industry alike, France announced that it also suffered a major cyber attack in the supply chain. The news comes with a recent release The technical report published by National Information Systems Security Agency– or simply ANSSI – the head of the French government’s cyber security agency. Like the USA, French authorities have suggested that Russia is probably involved.
According to ANSSI, a sophisticated group of hackers has successfully entered Centreon Systems products, a French IT firm specializing in monitoring networks and systems, used by many French government agencies as well as some of the largest companies in the country (Air France, among others). Centreon customer page shows that it is a partner with the French Department of Justice, Ecole Polytechnique and regional public agencies, as well as some of the largest nations agri-food production companies.
While ANSSI has not officially attributed the hack to any organization, the agency says the techniques used are similar to those of the Russian military hacker. Sandworm group (also known as Unit 74455). The intrusion campaign, which dates back at least to 2017, allowed hackers to breach the systems of a number of French organizations, although ANSSI refused to name the victims or say how many were affected.
Although the report does not make it clear how the hackers initially compromised Centreon, the report shows that once they entered, they used webshells to continue their intrusion campaigns. Webshells are malicious scripts that allow a malicious actor to remotely hijack a website or system and control it.
G / O Media may receive a commission
In the case of Centreon, the hackers used two different scripts, STEP and Exaramel. Both acted as backdoors that could allow the hacker to gain control of a website or system and control it remotely: “On compromised systems, ANSSI discovered the presence of a backdoor in the form of a web page launched in May. many Centreon servers exposed to the Internet “, wrote the agency. When used together, the scripts allowed a hacker total control over a compromised system.
The report also mentions that the Examarel backdoor is identical to the one used in another Sandworm campaign and which was previously identified by the French security company ESET:
[ESET] noticed the similarities between this back door and Industroyer which was used by the TeleBots intrusion set, also known as Sandworm [7]. Although this tool can be easily reused, the command and control infrastructure has been known by ANSSI as being controlled by the intrusion set. It is generally known that the Sandworm intrusion set conducts consistent intrusion campaigns before focusing on specific targets that match its strategic interests in the victim group. The campaign observed by ANSSI fits this behavior.
Sandworm has gained notoriety over the years for both his criminal activity and his political involvement. In October last year, half a dozen Russian intelligence officers were charged by the US Department of Justice for their role in the crimes of the group of hackers, including the attempted intervention in the 2017 French elections, “losses of almost one billion dollars” from ransomware attacks on US companies and hack the 2018 Olympic Games hosted in Pyeongchang.
While the purpose and purpose of the “Centreon” campaign are not clarified in the ANSSI report, the parallels between it and the US SolarWinds supply chain hack are clear. The bottom line? Third-party vendors pose huge security risks to large bureaucracies and corporate bodies. Meanwhile, the question of how to effectively correct this institutional vulnerability has not yet been answered satisfactorily.