Cyberattack hits French companies and accusations against Russian
The new Cybersecurity Agency report revealed attacks by a Russian hacker group targeting French IT companies that use Centreon servers.
France’s cybersecurity agency said that a group of Russian military hackers, known as the Sandworm Group, were behind a 3-year operation in which they penetrated the internal networks of several French entities that run Centreon servers for monitoring IT.
Centron is an IT resource monitoring platform developed by the French company Centron, and a product similar in functionality to the Orion platform of the US company SolarWinds.
The attacks were detailed in a technical report released today by the Agence Nationale de la Sécurité des Systèmes d’Information, also known as “ANSSI”, which is the main cybersecurity agency in the country.
“This campaign has mostly affected IT providers, especially web-hosting providers,” ANSSI officials said today, adding, “It appears that the first victim was at risk from late 2017. The campaign continued until 2020, and the entry point to victims’ networks was linked to a program.” Centreon.
Annecy said the attackers targeted Centron systems that were left online. The agency was unable, even at the time of writing, to determine whether the attacks exploited a security flaw in the Sentron program or if the attackers had guessed the passwords for the admin accounts.
After entering, the attackers installed a copy of the backdoor programs that allow them to enter and exit without noticing the administrators, as well as a copy of Trojan’s called Exaramel backdoor trojan, which are two strains of malware that when used together allow hackers to fully control the compromised system and its neighboring network.
In a rare move, Annecy said she was able to link these attacks to a well-known hacking group in the cybersecurity industry under the name Sandworm.
In October 2020, the US Department of Justice issued formal charges against 6 Russian military officers for their participation in cyberattacks orchestrated by this group, and formally linked Sandworm to Unit “74455” of the Russian Main Intelligence Directorate “GRU”, which is a military intelligence agency of the Russian army.
Previous cyberattacks by this group included disrupting the power grid across Ukraine in 2015 and 2016, the release of the ransomware known as NotPetya ransomware in 2017, attacks on the opening ceremony of the Winter Olympics in PyeongChang, South Korea in 2018, and mass sabotage of websites. Georgian in 2019.
Additionally, the Justice Ministry has also linked this group to the attacks against France, specifically to hacking campaigns and related hacking and diversion efforts targeting French President Macron, in a process also referred to as the Macron Leaks.
By releasing its report today, ANSSI now warns and urges French and international organizations to check their central facilities for the presence of malware strains, a sign that the corporate hacking of Sandworm has occurred in previous years.
Despite the similarities in functionality between the Centreon and Orion applications from SolarWinds, it appears that Centron’s attacks have focused on the Internet service provider rather than the supply chain.