No time right now?
Hackers compromised the servers of at least 15 French companies. According to the French cybersecurity agency ANSSI, there are parallels to the way the Russian military hacker group Sandworm works.
While the rest of the world is still tracking the damage caused by the Solarwinds hack, France has now announced that there has been a cyber attack of potentially similar scope that apparently went undetected for a full three years. The first victims were hacked at the end of 2017, and there were further attacks by 2020. It comes out of one French cybersecurity report, ANSSI for short.
The gateway is apparently a software called Centreon
According to ANSSI, a group of hackers has successfully compromised the servers of various French companies that were using the software of the same name from a French IT company called Centreon. Centreon’s customers include many French government agencies, the Ministry of Justice and, according to the service provider’s website, some of the country’s largest companies, including Airbus, Air France KLM, Arcelor Mittal and the telecommunications providers Orange and Opticomm.
In a statement from Tuesday that Wired is available, a company spokesman makes it clear that there are no actual customers of Centreon among the victims of the hacker attack. The approximately 15 targets of the hack counted by ANSSI all used an open source version of Centreon’s software, which has not been supported for five years. In addition, the victims deployed them insecurely.
Parallels to the Russian military hacker group Sandworm
The cybersecurity agency explicitly does not attribute the hack to any organization, but according to the agency the techniques used are similar to those of the Russian military hacking group “Sandworm”, also known as Unit 74455. The ANSSI report does not reveal how the hacking group penetrated the servers could. Once inside the system, the hackers used webshells – malicious scripts that allow attackers to hijack and control a system remotely.
Specifically, two different malware were identified on the servers. An openly available back door called PAS and another called Exaramel, which Slovak cybersecurity firm ESET announced as one of Sandworm identified the tool used in previous attacks. It is not uncommon for groups of hackers to re-use malware and techniques from other hackers, and it is a popular tactic to mislead investigations. However, there was also an overlap in the command and control server used in the Centreon hacker campaign with previous Sandworm attacks, which corroborates the suspicion of a connection to Sandworm. The rest of the approach also fits the group: “It is common knowledge that Sandworm carries out several successive attacks before it focuses on selected targets within the victim pool that correspond to strategic interests. The observed campaign fits this behavior. “
Sandworm has become notoriously famous in recent years through a range of criminal activities, including the attempt to tamper with the French elections in 2017, countless ransomware attacks on American companies and the attempt to hack the 2018 Olympic Games in Pyeongchang. As recently as last October, half a dozen Russian intelligence workers were charged by the US judiciary for their involvement in the hacking group’s crimes.