France ties Russia's sandworm to a perennial hacking spree


Enlarge /. The logo of the French national cybersecurity agency, Agence Nationale de la Securite des Systemes d & # 39; Information (ANSSI), taken at the ANSSI headquarters in Paris.

The Russian military hackers named Sandworm, who are responsible for everything from power outages in Ukraine to NotPetya, the most destructive malware in history, have no reputation for discretion. However, a French security agency is now warning that hackers with tools and techniques linked to Sandworm have secretly hacked targets in this country by exploiting an IT surveillance tool called Centreon – and apparently got away undetected for three years.

On Monday, the French information security agency ANSSI published a warning that hackers with ties to Sandworm, a group of the Russian GRU secret service, had injured several French organizations. The agency describes these victims as "mostly" IT companies and especially web hosting companies. Remarkably, according to ANSSI, the intrusion campaign goes back to the end of 2017 and lasted until 2020. In these violations, the hackers seem to have compromised servers with Centreon, which are sold by the Paris-based company of the same name.

Although ANSSI claims to be unable to determine how these servers were hacked, two different types of malware were found on them: a publicly accessible backdoor called PAS and another called Exaramel, which Slovak cybersecurity company Eset discovered Sandworm in previous interventions. While hacking groups reuse each other's malware – sometimes deliberately to mislead investigators – the French agency claims that the command and control servers used in the Centreon hacking campaign and previous sandworm hacking incidents overlap.

While it is far from clear what the Sandworm hackers might have been aiming at in the year-long French hacking campaign, any Sandworm intrusion triggers an alarm among those who have seen the results of the group's previous work. "Sandworm has been linked to destructive operations," says Joe Slowik, a researcher with security firm DomainTools who has followed Sandworm's activities for years, including an attack on the Ukrainian power grid that resulted in an early variant of Sandworm's Exaramel backdoor. "While there is no known endgame related to this campaign documented by the French authorities, the fact that it is taking place is worrying as the ultimate goal of most sandworm operations is to have a noticeable disruptive effect. We should be careful. "


ANSSI did not identify the victims of the hacking campaign. However, one page of the Centreon website lists customers including the telecommunications providers Orange and OptiComm, the IT consultancy CGI, the defense and aviation company Thales, the steel and mining company ArcelorMittal, Airbus, Air France KLM, the logistics company Kuehne + Nagel , the nuclear power company EDF and the French Ministry of Justice.

Centreon customers spared

However, in a statement emailed Tuesday, a Centreon spokesman wrote that no actual Centreon customers were affected by the hacking campaign. Instead, the company stated that the victims were using an open source version of Centreon software that the company has not supported in more than five years, arguing that it was deployed insecurely, including allowing connections from outside of the corporate network. The statement also points out that ANSSI counted "only about 15" targets of the interventions. "Centreon is currently contacting all of its customers and partners to help them check that their installations are up to date and that they are complying with the ANSSI guidelines for a healthy information system," the statement said. "Centreon recommends that all users who still have an outdated version of their open source software in production update it to the latest version or contact Centreon and its network of certified partners."

Some in the cybersecurity industry immediately interpreted the ANSSI report to suggest yet another attack on the software supply chain such as that carried out against SolarWinds. In an extensive hacking campaign published late last year, Russian hackers modified this company's IT surveillance application and penetrated an as-yet-unknown number of networks, including at least half a dozen US federal agencies.

However, the ANSSI report does not mention any compromise in the supply chain and Centreon states in its statement that "this is not a supply chain-type attack and in this case no parallel can be drawn with other attacks of this type". Instead, according to Slowik of DomainTools, the interventions appear to have been simply carried out using Internet-connected servers running Centreon software on the victims' networks. He points out that this would coincide with another warning about Sandworm issued by the NSA in May last year: The Secret Service warned Sandworm that he was using the Exim email client running on Linux servers. Internet-connected computers hack. Since the Centreon software runs under CentOS, which is also based on Linux, the two references indicate similar behavior over the same period. "Both campaigns were used in parallel over the same period of time to identify outward-facing, vulnerable servers that happened to be running Linux for initial access or movement within victim networks," says Slowik. (Unlike Sandworm, who has been widely identified as part of the GRU, the SolarWinds attacks have yet to be definitely linked to a specific intelligence agency, although security firms and US intelligence agencies have attributed the hacking campaign to the Russian government.)


"Caught on impact"

Although Sandworm has focused many of its most notorious cyberattacks in Ukraine – including the NotPetya worm, which spread from Ukraine and caused $ 10 billion in damage worldwide – the GRU has historically not been shy of aggressively hacking French targets . In 2016, GRU hackers posing as Islamic extremists destroyed the network of the French television broadcaster TV5 and took its 12 channels from the air. Over the next year, GRU hackers, including Sandworm, conducted an email hack-and-leak operation to sabotage French presidential candidate Emmanuel Macron's presidential campaign.

While the hacking campaign described in the ANSSI report did not appear to have produced such disruptive effects, the interference with the Centreon should serve as a warning, says John Hultquist, vice president of intelligence at the security firm FireEye, whose research team first named Sandworm in 2014 notes that Independently from ANSSI, FireEye has not yet attributed the interference to Sandworm – but also warns that it is too early to say the campaign is over. "This could be a news gathering, but Sandworm has a long history of activity that we need to consider," says Hultquist. "Every time we find Sandworm with open access over a long period of time, we have to adjust to the impact."

This story originally appeared on


Steven Gregory