The Russian navy hackers referred to as Sandworm, liable for all the things from blackouts in Ukraine to NotPetya, essentially the most damaging malware in historical past, haven’t got a status for discretion. But a French safety company now warns that hackers with instruments and methods it hyperlinks to Sandworm have stealthily hacked targets in that nation by exploiting an IT monitoring device referred to as Centreon—and seem to have gotten away with it undetected for so long as three years.
On Monday, the French info safety company ANSSI revealed an advisory warning that hackers with hyperlinks to Sandworm, a bunch inside Russia’s GRU navy intelligence company, had breached a number of French organizations. The company describes these victims as “mostly” IT companies and significantly Web-hosting firms. Remarkably, ANSSI says the intrusion marketing campaign dates again to late 2017 and continued till 2020. In these breaches, the hackers seem to have compromised servers operating Centreon, bought by the agency of the identical identify primarily based in Paris.
Though ANSSI says it hasn’t been capable of determine how these servers had been hacked, it discovered on them two completely different items of malware: one publicly obtainable backdoor referred to as PAS, and one other referred to as Exaramel, which Slovakian cybersecurity agency Eset has noticed Sandworm utilizing in earlier intrusions. While hacking teams do reuse one another’s malware—typically deliberately to mislead investigators—the French company additionally says it is seen overlap in command and management servers used within the Centreon hacking marketing campaign and former Sandworm hacking incidents.
Though it is from clear what Sandworm’s hackers might need meant within the yearslong French hacking marketing campaign, any Sandworm intrusion raises alarms amongst those that have seen the outcomes of the group’s previous work. “Sandworm is linked with destructive ops,” says Joe Slowik, a researcher for safety agency DomainTools who has tracked Sandworm’s actions for years, together with an assault on the Ukrainian energy grid the place an early variant of Sandworm’s Exaramel backdoor appeared. “Even though there’s no known endgame linked to this campaign documented by the French authorities, the fact that it’s taking place is concerning, because the end goal of most Sandworm operations is to cause some noticeable disruptive effect. We should be paying attention.”
ANSSI did not determine the victims of the hacking marketing campaign. But a web page of Centreon’s web site lists clients together with telecom suppliers Orange and OptiComm, IT consulting agency CGI, protection and aerospace agency Thales, metal and mining agency ArcelorMittal, Airbus, Air France KLM, logistics agency Kuehne + Nagel, nuclear energy agency EDF, and the French Department of Justice.
Centreon clients spared
In an emailed assertion Tuesday, nevertheless, a Centreon spokesperson wrote that no precise Centreon clients had been affected within the hacking marketing campaign. Instead, the corporate says that victims had been utilizing an open supply model of Centreon’s software program that the corporate hasn’t supported for greater than 5 years, and it argues that they had been deployed insecurely, together with permitting connections from outdoors the group’s community. The assertion additionally notes that ANSSI has counted “only about 15” targets of the intrusions. “Centreon is currently contacting all of its customers and partners to assist them in verifying their installations are current and complying with ANSSI’s guidelines for a Healthy Information System,” the assertion provides. “Centreon recommends that all users who still have an obsolete version of its open source software in production update it to the latest version or contact Centreon and its network of certified partners.”
Some within the cybersecurity business instantly interpreted the ANSSI report back to recommend one other software program provide chain assault of the sort carried out towards SolarWinds. In an enormous hacking marketing campaign revealed late final yr, Russian hackers altered that agency’s IT monitoring software and it used to penetrate a still-unknown variety of networks that features no less than half a dozen US federal companies.
But ANSSI’s report would not point out a provide chain compromise, and Centreon writes in its assertion that “this is not a supply chain type attack and no parallel with other attacks of this type can be made in this case.” In truth, DomainTools’ Slowik says the intrusions as a substitute seem to have been carried out just by exploiting Internet-facing servers operating Centreon’s software program contained in the victims’ networks. He factors out that this might align with one other warning about Sandworm that the NSA revealed in May of final yr: the intelligence company warned Sandworm was hacking Internet-facing machines operating the Exim e-mail shopper, which runs on Linux servers. Given that Centreon’s software program runs on CentOS, which can also be Linux-based, the 2 advisories level to related habits throughout the identical timeframe. “Both of these campaigns in parallel, during some of the same period of time, were being used to identify externally facing, vulnerable servers that happened to be running Linux for initial access or movement within victim networks,” Slowik says. (In distinction with Sandworm, which has been extensively recognized as a part of the GRU, the SolarWinds assaults have additionally but to be definitively linked to any particular intelligence company, although safety companies and the US intelligence group have attributed the hacking marketing campaign to the Russian authorities.)
“Brace for impact”
Although Sandworm has centered lots of its most infamous cyberattacks on Ukraine—together with the NotPetya worm that unfold from Ukraine to trigger $10 billion in injury globally—the GRU hasn’t shied away from aggressively hacking French targets previously. In 2016, GRU hackers posing as Islamic extremists destroyed the community of France’s TV5 tv community, taking its 12 channels off the air. The subsequent yr, GRU hackers together with Sandworm carried out an e-mail hack-and-leak operation meant to sabotage the presidential marketing campaign of French presidential candidate Emmanuel Macron.
While no such disruptive results seem to have resulted from the hacking marketing campaign described in ANSSI’s report, the Centreon intrusions ought to function a warning, says John Hultquist, the vice chairman of intelligence at safety agency FireEye, whose workforce of researchers first named Sandworm in 2014. He notes that FireEye has but to attribute the intrusions to Sandworm independently of ANSSI—but in addition cautions that it is too early to say that the marketing campaign is over. “This could be intelligence collection, but Sandworm has a long history of activity we have to consider,” says Hultquist. “Any time we find Sandworm with clear access over a long period of time, we need to brace for impact.”
This story initially appeared on wired.com.