[ad_1]
Russian army Hackers known as Sandworm, responsible for everything from power outages in Ukraine to NotPetya, the most destructive malware in history, don’t have a reputation for being quiet. But a French security agency is now warning that hackers with Sandworm-related tools and techniques have stealthily hacked into targets in that country using a computer surveillance tool called Centreon – and appear to have gotten away with being undetected. during three years.
On Monday, the French information security agency ANSSI issued a warning that hackers with ties to Sandworm, a group of the Russian military intelligence agency GRU, had raped several French organizations. The agency describes these victims as “primarily” IT companies and in particular web hosting companies. Remarkably, the ANSSI claims that the intrusion campaign dates back to the end of 2017 and continued until 2020. In these violations, the hackers appear to have compromised servers running Centreon, sold by the Paris-based firm of the same name. .
Although ANSSI says it was unable to identify how these servers were hacked, it found two types of malware on them: a publicly accessible backdoor called PAS, and another known as ‘Exaramel, which Slovak cybersecurity firm ESET spotted using Sandworm in previous intrusions. As hacking groups reuse each other’s malware – sometimes intentionally to deceive investigators – the French agency also claims to have seen an overlap in command and control servers used in the Centreon hacking campaign and previous incidents. hack Sandworm.
While it is far from clear what the Sandworm hackers might have had during the French hacking campaign that lasted for years, any intrusion by Sandworm raises alarm among those who have seen the results of the previous work of the group. “Sandworm is linked to destructive operations,” says Joe Slowik, a researcher for security firm DomainTools, who has followed Sandworm’s activities for years, including an attack on the Ukrainian power grid where an early variant of the backdoor Sandworm’s Exaramel appeared. “Even though there is no known endgame associated with this campaign documented by French authorities, the fact that it is taking place is of concern, as the end goal of most Sandworm operations is to cause an effect. noticeable disruptor. We need to be careful. “
ANSSI has not identified the victims of the hacking campaign. But a page on Centreon’s website lists customers such as telecommunications providers Orange and OptiComm, IT consulting firm CGI, defense and aerospace firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France KLM, the logistics company Kuehne + Nagel, the nuclear energy company EDF, and the French Ministry of Justice. It is not known if any of these clients had servers running Centreon exposed to the internet.
“It is in no way proven at this stage that the identified vulnerability concerns a commercial version provided by Centreon over the period in question,” Centreon said in an email statement, adding that it regularly publishes updates. of security. “We are not in a position to specify at this stage, a few minutes after the publication of the ANSSI document, whether the vulnerabilities reported by ANSSI have been the subject of one of these fixes. ANSSI declined to comment beyond the initial opinion.
Some players in the cybersecurity industry immediately interpreted the ANSSI report to suggest yet another attack on the software supply chain of the type carried out against SolarWinds. In a massive hacking campaign revealed at the end of last year, Russian hackers modified the company’s computer surveillance application and it used to penetrate an as yet unknown number of networks that include at least one half a dozen US federal agencies.
But the ANSSI report makes no mention of supply chain compromise, and Slowik of DomainTools says the intrusions instead appear to have been carried out simply by exploiting internet-connected servers running Centreon software inside networks. the victims. He points out that this would correspond to another warning on Sandworm issued by the NSA in May of last year: The intelligence agency warned that Sandworm was hacking machines connected to the Internet running the Exim mail client, which runs on servers. Linux. Since Centreon’s software runs on CentOS, which is also Linux based, both reviews indicate similar behavior during the same period. “These two campaigns in parallel, during part of the same period of time, were used to identify vulnerable out-facing servers that were running Linux for initial access or movement within the victim networks,” Slowik explains. . (Unlike Sandworm, which has been widely identified as part of the GRU, the SolarWinds attacks have not yet been definitively linked to a specific intelligence agency, although security firms and the U.S. intelligence community have attributed the Russian government hacking campaign.)
[ad_2]
Source link