The Centreon IT monitoring software has been compromised by the “Sandworm group,” a group of Russian military hackers.
Russian hackers have a notorious history of taking part in prominent cyberattacks. And possibly the greatest of them all was the one that was uncovered in the latter part of last year when a U.S. cybersecurity firm called FireEye, which creates hacking tools, found that its own systems had been compromised. This breach, which remained mostly unreported throughout 2020, was carried out by the Russian organization Cozy Bear, also known as APT29.
Add to that the recent breach, which Russian military hackers are thought to be responsible for, according to the French cybersecurity organization, ANSSI (Agence Nationale de la Sécurité des Systèmes information). The operation that broke into the internal networks of many French organizations using the Centreon IT monitoring software appears to have been carried out by hackers also known as the Sandworm group.
According to ZDNet, the hackers gained access to the internal networks through Centreon, an IT resource monitoring platform created by the French company CENTREON. This platform is comparable to the Orion platform used by SolarWinds in the US, which was breached last year. The Centreon systems that were still linked to the internet were breached by the intruders. But it’s not clear if they just guess passwords for admin accounts or whether they took advantage of a technical flaw.
Installing the Exaramel backdoor trojan and the P.A.S. web shell malware allowed for successful invasions. Together, they gave hackers complete access to the infected system and its surrounding network. The P.A.S. web shell was widely used during the operation, according to Kaspersky Lab (e.g., /usr/local/centreon/www/search.php).
ANSSI used the cross-platform backdoor Exaramel to connect the attacks to the Sandworm organization. It appears that this malware is exclusively used by one hacker group. Six Russian military officers were formally indicted by the US Department of Justice in October 2020 for taking part in cyberattacks planned by this group.
The following cyberattacks that the organization has previously been associated with include:
Ukraine had energy grid failures in 2015 and 2016.
2017 NotPetya ransomware outbreak
Opening ceremony of the 2018 Winter Olympics in Pyeongchang
Georgian websites were widely vandalized in 2019
Campaigns using spear phishing to target the political party “La République En Marche” of French President Macron
Security professionals think the current operation appears to be a traditional cyber-espionage operation, with data exfiltration as its primary goal. In light of the aforementioned strains, ANSSI is now alerting French and foreign organizations to closely check their Centreon installations. Given the current increase in cyberattacks on hosting companies, it appears that their main goal is to access email servers, which are frequently hosted or included in web hosting packages.
