The French national cyber-security agency has linked a series of attacks that resulted in the breach of multiple French IT providers over a span of four years to the Russian-backed Sandworm hacking group.
ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) has not been able to determine how the servers were compromised.
Therefore, it is not yet clear if the attackers exploited a vulnerability in the exposed Centreon software or the victims were compromised through a supply chain attack.
“The first victim seems to have been compromised from late 2017. The campaign lasted until 2020,” ANSSI said in a report published today.
“This campaign mostly affected information technology providers, especially web hosting providers.”
Backdoors deployed on hacked servers
ANSSI discovered that the attackers deployed Exaramel and PAS web shell (aka Fobushell) backdoors when analyzing compromised servers on the networks of impacted organizations.
To deploy the malicious tools on the victims’ Internet exposed servers, the threat actors targeted the Centreon IT monitoring software.
Centreon’s customer list includes several high-profile organizations including Airbus, Air France KLM, Agence France-Presse (AFP), Euronews, Orange, Arcelor Mittal, Sephora, and even the French Ministry of Justice.
The attackers used public and commercial VPN and anonymization services when connecting to the backdoors including the Tor network, EXpressVPN, VPNBook, and PrivateInternetAccess (PIA).
According to the French cyber-security agency, the campaign shows several similarities to behavior observed while analyzing previous Sandworm attacks, including intrusion campaigns before choosing one of the victims for further compromise.
ANSSI also said that the command and control infrastructure used by the threat actors to control malware deployed on victims’ compromised machines were known as being Sandworm-controlled servers.
Compromise vector not yet known
ANSSI has not been able to determine how the servers were compromised, so it is not clear if the attackers exploited a vulnerability in the exposed Centreon software or the victims were compromised through a supply chain attack.
“Compromised servers identified by ANSSI ran the CENTOS operating system. Centreon was recently updated,” ANSSI added.
“The most recent installation version studied by ANSSI was 2.5.2. The initial compromise method is not known.”
Additionally, the French cyber-security agency was not able to find the Exaramel backdoor binary’s origin.
ANSII provides indicators of compromise (IOCs) and Yara rules for administrators who want to analyze their systems for signs of intrusion.
Sandworm (also tracked as BlackEnergy and TeleBots) is an elite Russian backed cyberespionage group active since the mid-2000s, with members believed to be military threat actors part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
This group is linked to the BlackEnergy malware behind the Ukrainian blackouts of 2015 and 2016 [1, 2, 3], and the KillDisk wiper attacks targeting Ukrainian banks.
Sandworm hackers have also created the NotPetya ransomware that inflicted billions worth of damage to companies around the world starting with June 2017.
In October 2020, the U.S. Justice Department charged six Sandworm operatives for hacking operations related to the Pyeongchang Winter Olympics, the 2017 French elections, and the NotPetya ransomware attack.