Russian hacking group involved in cyber spying campaign against French firms

A few weeks ago the technology company Centreon announced that its monitoring software was compromised by cybercriminals linked to the Russian government, which would have affected an undetermined number of users. Now, in its most recent update on the incident, Centreon mentions that only organizations that use outdated versions of this solution would be affected by the attack, allegedly deployed by Sandworm.

It should be remembered that Sandworm, also known as BlackEnergy/TeleBots, has been a sophisticated active cyberespionage group for more than 20 years. Experts believe this group is part of Unit 74455, the Russian government’s main technology program. This group has been linked to relevant incidents such as KillDisk attacks targeting critical infrastructure in Ukraine, and they are noted as major developers of the dangerous NotPetya ransomware.

This announcement comes after ANSSI, the French cybersecurity agency, published a report detailing a number of security incidents that resulted in the information gap of some IT service providers for some years now.

The French cybersecurity agency mentions that the first incident was reported at the end of 2017, with new attacks constantly detected until 2020. ANSSI reports that all organizations compromised during this time span were running Centreon’s IT monitoring software. Still, the agency has not been able to detect the attack vector used to compromise these servers and install the backdoor known as Exaramel.

In response to this report, Centreon mentions that its customers have not been compromised by these attacks, as these incidents were related to an outdated and free version of its software, released in 2014. The company says that eight more versions have been released since the release of that vulnerable version: “There are about 15 organizations affected by this campaign, all operating an open source version that was discontinued five years ago,” Centreon says.

On the other hand, Centreon emphasizes that this is not a supply chain attack, as the perpetrators of the attack did not abuse its platform for the delivery of malicious code on its customers’ networks as happened recently in SolarWinds: “ANSSI concluded that our servers were not abused for the distribution of malicious code”, adds the company’s message.

ANSSI reports claim that this campaign is very similar to those deployed by Sandworm hackers, as it also includes techniques such as launching spam campaigns and early intrusion stages before starting the actual attack. The agency also mentions that the C&C servers that control this malware operate similarly to previous campaigns.