French authorities blame Sandworm hack group for Centreon attacks
The French National Agency for Information Systems Security (ANSSI) said that a group of Russian “government” hackers Sandworm (aka Telebots, BlackEnergy, Voodoo Bear) was behind a three-year operation with attacks on several French organizations using Centreon monitoring software.
The agency’s report says that the attacks mainly affected various IT providers (especially hosters). The first victim was compromised at the end of 2017.As mentioned above, the hacks that have occurred are associated with the Centreon monitoring platform that developed same-named French company. In essence, this product is almost identical in functionality to SolarWinds’ Orion platform, which was reported to have been compromised last December.
Centreon’s clients include many well-known organizations, as Airbus, Air France, KLM, Agence France-Presse (AFP), Euronews, Orange, Arcelor Mittal, Sephora and even the French Ministry of Justice.
“The attackers attacked Centreon systems accessible over the Internet, but it remains unclear whether the hackers exploited some vulnerability in Centreon or brute-force passwords for administrator accounts”, – write ANSSI experts.
We only know that many of the victims were using the latest versions of Centreon, and what happened was not a supply chain attack, as in the case of SolarWinds.
If the attack was successful, the attackers infected the system with the PAS web shell and the Exaramel backdoor Trojan, which ensured full control of the compromised system and the adjacent network.
ANSSI is now urging all French and international organizations to check their Centreon installations and systems for compromise and the presence of PAS and Exaramel malware.
At the end of 2020, the US Department of Justice indicted six Russian citizens that were allegedly a part of the Sandworm group.
The American authorities claim that all the defendants serve in unit 74455 of the Main Intelligence Directorate of Russia (Unit 74455) and, on the orders of the Russian government, have carried out cyberattacks with the aim of destabilizing other countries, interfering in their domestic politics, causing damage and monetary losses.
The US Department of Justice connects the Sandworm grouping with attacks on critical infrastructure in Ukraine, elections in France, the Olympic Games in Pyeongchang, the development of the NotPetya ransomware and other incidents.