Application Security , Cybercrime , Cyberwarfare / Nation-State Attacks

France Ties 3-Year Hacking Campaign to Russia's Sandworm

Unpatched, Open-Source Versions of Centreon IT Monitoring Tool Hacked, CERT-FR Says
France Ties 3-Year Hacking Campaign to Russia's Sandworm
Alert from CERT-FR, which is the French government's computer emergency readiness team

French cybersecurity authorities are warning that widely used, open-source IT monitoring software called Centreon appears to have been targeted by Russian hackers. But unlike the SolarWinds supply chain attack, in this campaign, attackers appear to have hacked outdated, unpatched versions of the software.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

The Centreon open-source IT network monitoring tool is developed by the Paris-based company of the same name.

The National Cybersecurity Agency of France, known as ANSSI, says that the campaign has resulted in the breach of at least several French organizations for a period of up to three years.

"This campaign mostly affected IT service providers, especially web hosting providers," according to a security alert issued Monday by ANSSI's CERT-FR, which is the French government's computer emergency readiness team. The alert includes indicators of compromise that all organizations can use to help detect and block similar attacks.

Centreon also sells a commercial version of the tool, which is not the focus of the alert.

A spokesman for Centreon tells Information Security Media Group that the open-source version the attackers targeted appears to date from 2014 or 2015. "So that's something quite striking here - that the users had not updated their versions."

Hacked versions of the software also had "non-Centreon-designed files" added to the installations, the spokesman says, adding that the victims also appeared to have configured the system running the monitoring software for remote access, without appropriate safeguards. "This is against the recommendations of the industry and Centreon itself; we recommend to only use a VPN."

The Centreon spokesman says no commercial clients were hit by this malware or breach. "We also recommend that users respect these recommendations at all times: update their versions; if you do not use commercial versions, then use security software in addition to your open source software; and do not do monitoring with internet access to that system enabled."

German cyberespionage expert Timo Steffens likewise says that based on ANSSI's alert, the Centreon-targeting campaign appears to have targeted unpatched systems, rather than sneaking malware into the organization's software development pipeline. That latter tactic has been tied to last year's SolarWinds supply chain attack, in which suspected Russian espionage hackers apparently sneaked their "Sunburst" backdoor code into the company's software development pipeline, after which it was installed by up to 18,000 users implementing updates.

Hackers Dropped Webshell

A 40-page report in French, released Monday by ANSSI, although dated Jan. 27, further describes the attack campaign and countermeasures.

Authorities say the first known victim of the Centreon-targeting campaign was compromised in late 2017, and the campaign ran until last year, when it was discovered. CERT-FR says malware discovered on systems inside affected organizations has been seen before, including malicious Linux code that's been dubbed Exaramel by security firm ESET.

"On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet," CERT-FR says. "This backdoor was identified as being the PAS webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel."

The alert adds: "This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm."

Finding malware that has previously been used by attackers is insufficient to attribute any further use of that malware to the same group of attackers. But ANSSI's naming of Sandworm is an indication that it suspects the group was, in fact, involved.

Persistent, Remote Access

The PAS webshell has previously been used by alleged Russian attackers, for example, as part of the Grizzly Steppe APT campaign that employed BlackEnergy and other malware, ESET and other security firms have said.

"The PAS web shell is in the category of full-featured PHP web shells that are used by attackers after initial exploitation in order to maintain persistent access to a compromised web portal," according to the SpiderLabs research team at security firm Trustwave.

Packet trace showing a TCP reverse_connect backdoor communication tied to an apparent PAS webshell infection previously investigated by Trustwave (Source: Trustwave SpiderLabs)

Russia's Sandworm Hacking

Sandworm is a Russian government hacking team with a penchant for destructive attacks that is part of the GRU military intelligence agency. GRU Unit 74455, as it's officially known, is also called TeleBots, Voodoo Bear and Iron Viking.

Alleged Russian GRU - aka Sandworm - agents indicted in October 2020 (left to right, top row first): Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko and Petr Pliskin (Source: U.S. Justice Department)

In a federal indictment unsealed in October 2020, U.S. authorities accused members of GRU Unit 74455 of being directly involved in numerous attacks, including the 2017 NotPetya fake ransomware attack, attempts to disrupt the 2018 Winter Olympics and 2020 Summer Olympics as well as attacks against organizations investigating Russia's 2018 Novichok attack on British soil.

Russian authorities dismissed those allegations as an attempt to smear Moscow.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.