French authorities blame Sandworm hack group for Centreon attacks

The French National Agency for Information Systems Security (ANSSI) said that a group of Russian “government” hackers Sandworm (aka Telebots, BlackEnergy, Voodoo Bear) was behind a three-year operation with attacks on several French organizations using Centreon monitoring software.

The agency’s report says that the attacks mainly affected various IT providers (especially hosters). The first victim was compromised at the end of 2017.

As mentioned above, the hacks that have occurred are associated with the Centreon monitoring platform that developed same-named French company. In essence, this product is almost identical in functionality to SolarWinds’ Orion platform, which was reported to have been compromised last December.

Centreon’s clients include many well-known organizations, as Airbus, Air France, KLM, Agence France-Presse (AFP), Euronews, Orange, Arcelor Mittal, Sephora and even the French Ministry of Justice.

“The attackers attacked Centreon systems accessible over the Internet, but it remains unclear whether the hackers exploited some vulnerability in Centreon or brute-force passwords for administrator accounts”, – write ANSSI experts.

We only know that many of the victims were using the latest versions of Centreon, and what happened was not a supply chain attack, as in the case of SolarWinds.

If the attack was successful, the attackers infected the system with the PAS web shell and the Exaramel backdoor Trojan, which ensured full control of the compromised system and the adjacent network.

ANSSI is now urging all French and international organizations to check their Centreon installations and systems for compromise and the presence of PAS and Exaramel malware.