Russian army hackers known as Sandworm, responsible for everything from disruptions in Ukraine to NotPetya, the most destructive malware in history, have no reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have hacked targets in that country by exploiting an IT monitoring tool called Centreon – and appear to have escaped undetected for three years.
On Monday, the French intelligence agency ANSSI issued a warning that hackers with links to Sandworm, a group within the Russian military intelligence agency GRU, had violated several French organizations. The agency describes those victims as “mostly” IT firms and especially web hosting companies. Remarkably, ANSSI says the intrusion campaign dates from the end of 2017 and continued until 2020. In these breaches, hackers appear to have compromised servers running Centreon, sold by the Paris-based company of the same name.
Although ANSSI says it failed to identify how these servers were hacked, it found two different pieces of malware on them: one behind the public, called PAS, and another known as Exaramel, the Slovak cybersecurity company ESET saw Sandworm using in previous intrusions. While hacking groups reuse each other’s malware – sometimes intentionally to mislead investigators – the French agency also says it sees overlapping command and control servers used in the Centreon hacking campaign and previous Sandworm hacking incidents.
Although it is far from clear what Sandworm hackers would have intended in the French hacking campaign for years, any Sandworm intrusion triggers alarms among those who have seen the results of the group’s previous work. “Sandworm is linked to destructive operations,” says Joe Slowik, a researcher for security firm DomainTools, which has been tracking Sandworm’s activities for years, including an attack on the Ukrainian power grid, where an early version of the Exaramel rear door appeared. and Sandworm. “Even though there is no known final game related to this campaign documented by the French authorities, the fact that it is taking place is worrying, as the ultimate goal of most Sandworm operations is to cause a visible disruptive effect. We should be careful.”
ANSSI did not identify the victims of the hacking campaign. But one page of the Centreon site lists customers, including telecommunications providers Orange and OptiComm, IT consulting firm CGI, defense and aerospace firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France KLM, logistics firm Kuehne + Nagel, the nuclear power company EDF and the French Department of Justice. It is unclear if any of these clients had Centreon-running servers exposed to the Internet.
“In any case, it is not proven at this stage that the vulnerability identified concerns a commercial version provided by Centreon during the period in question,” Centreon said in an e-mailed statement, adding that it regularly releases security updates. “We are unable to specify at this stage, minutes after the publication of the ANSSI document, whether the vulnerabilities highlighted by ANSSI were the subject of one of these patches.” ANSSI declined to comment beyond the original recommendation.
Some in the cybersecurity industry immediately interpreted the ANSSI report to suggest another supply chain attack with software such as those against SolarWinds. In a large-scale hacking campaign unveiled late last year, Russian hackers modified that company’s IT monitoring application and broke into an as yet unknown number of networks that included at least half a dozen US federal agencies.
But the ANSSI report does not mention a compromise on the supply chain, and DomainTools Slowik says the entries appear to have been made simply by exploiting Internet-oriented servers running Centreon software on victims’ networks. He points out that this will be in line with another warning about Sandworm, which the NSA issued in May last year: The intelligence agency warned that Sandworm is hacking internet-oriented machines running the Exim email client, which runs on servers Linux. Because Centreon software runs on CentOS, which is also based on Linux, the two recommendations indicate similar behavior over the same time frame. “Both campaigns in parallel, over the same period of time, were used to identify vulnerable servers facing externally, which happened to run Linux for initial access or movement in victims’ networks,” says Slowik. (Unlike Sandworm, which has been widely identified as part of the GRU, SolarWinds attacks have not yet been permanently linked to any specific intelligence agency, although US security firms and the intelligence community have blamed the hacking campaign on the Russian government. .)