The French Cybersecurity Agency has issued a security advisory stating that state-sponsored Russian hackers installed malicious software in Centreon’s IT monitoring tool to target organizations worldwide. Centreon said the hackers targeted an obsolete open-source version of the software which hasn’t been supported for five years.
Earlier this week, French National Cybersecurity Agency (ANSSI) said that Centreon, a Paris-headquartered global IT monitoring solutions provider, and its customers were targeted in a 4-years-long attack campaign perpetrated by state-sponsored Russian hackers. The attacks began in 2017 and involved malicious actors targeting Centreon’s flagship software which is used widely for IT resource monitoring.
According to ANSSI, the malicious hacking campaign seems to be the work of a Russian government-backed entity known as Sandworm. During its investigations into the cyberattacks, the cybersecurity agency discovered the Exaramel backdoor used only by Sandworm APT in previous hacking campaigns.
6/9 Hades / Sandworm is the only known group that uses Exaramel. Exaramel has code similarities with the Industroyer main backdoor. The report does not include other public links to Hades / Sandworm.
— Costin Raiu (@craiu) February 16, 2021Opens a new window
As describedOpens a new window by cybersecurity firm ESET, Exaramel backdoor is used by attackers to establish secure communications with a command and control server through encryption and enables hackers to execute commands remotely.
During its investigations, ANSSI also discovered P.A.S. webshell, a PHP malware previously deployedOpens a new window  in the Russian state-sponsored interference of 2016 U.S. elections. But since P.A.S. webshell is available for anyone to download from dark web hacker forums, ANSSI could not accurately attribute its deployment to any particular hacker group. Nevertheless, this was clearly an attempt at illegal surveillance of corporations, otherwise known as cyber espionage.
The Centreon IT monitoring software is used by organizations worldwide to monitor applications, networks, and systems. However, the company said that the 4-years-long campaign carried out by Russian hackers only affected 15 users of the I.T. monitoring platform. “According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years,†the company said.
See Also: National Finance Center Targeted by Chinese Actors Using SolarWinds Exploit
Centreon’s customers include Airbus, Air France, Orange, Arcelor Mittal, Euronews, Agence France-Presse (AFP), and multiple French government organizations.
“The ANSSI report and our exchanges with them confirm that Centreon did not distribute or contribute to propagate malicious code. This is not a supply chain type attack and no parallel with other attacks of this type can be made in this case,†Centreon said, likely referring to the 2020 SolarWinds hack which resulted in the compromise of systems and networks of hundreds of organizations, including several U.S. Federal departments.Â
Sandworm has been using webshells and the Linux version of the backdoor Exaramel against French entities undetected for more than three years.
Initial attack vector is unclear, but malware was found on servers running Centreon (vulnerability more likely than supply-chain).
— Timo Steffens (@Timo_Steffens) February 15, 2021Opens a new window
Opens a new window
Centreon Attack TTPs | Source: ANSSI
In its report, ANSSI accused the Russian GRU-linked Sandworm APT group of a deviation from its usual non-attribution policy. The Russian GRU was also blamed for an attack on the French TV stationOpens a new window  TV5Monde in April 2015, forcing it to go off the air. In 2020, six GRU officers were chargedOpens a new window  by the U.S. Department of Justice with disrupting the 2017 French elections, among other charges.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!