News

French authorities blame Sandworm hack group for Centreon attacks

The French National Agency for Information Systems Security (ANSSI) said that a group of Russian “government” hackers Sandworm (aka Telebots, BlackEnergy, Voodoo Bear) was behind a three-year operation with attacks on several French organizations using Centreon monitoring software.

The agency’s report says that the attacks mainly affected various IT providers (especially hosters). The first victim was compromised at the end of 2017.

As mentioned above, the hacks that have occurred are associated with the Centreon monitoring platform that developed same-named French company. In essence, this product is almost identical in functionality to SolarWinds’ Orion platform, which was reported to have been compromised last December.

Centreon’s clients include many well-known organizations, as Airbus, Air France, KLM, Agence France-Presse (AFP), Euronews, Orange, Arcelor Mittal, Sephora and even the French Ministry of Justice.

“The attackers attacked Centreon systems accessible over the Internet, but it remains unclear whether the hackers exploited some vulnerability in Centreon or brute-force passwords for administrator accounts”, – write ANSSI experts.

We only know that many of the victims were using the latest versions of Centreon, and what happened was not a supply chain attack, as in the case of SolarWinds.

If the attack was successful, the attackers infected the system with the PAS web shell and the Exaramel backdoor Trojan, which ensured full control of the compromised system and the adjacent network.



ANSSI is now urging all French and international organizations to check their Centreon installations and systems for compromise and the presence of PAS and Exaramel malware.

Sandworm Reference:

At the end of 2020, the US Department of Justice indicted six Russian citizens that were allegedly a part of the Sandworm group.

The American authorities claim that all the defendants serve in unit 74455 of the Main Intelligence Directorate of Russia (Unit 74455) and, on the orders of the Russian government, have carried out cyberattacks with the aim of destabilizing other countries, interfering in their domestic politics, causing damage and monetary losses.

The US Department of Justice connects the Sandworm grouping with attacks on critical infrastructure in Ukraine, elections in France, the Olympic Games in Pyeongchang, the development of the NotPetya ransomware and other incidents.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

21 hours ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

21 hours ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

21 hours ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

21 hours ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

21 hours ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

21 hours ago