The cybersecurity agency of France has recently affirmed that a group of Russian military hackers, acknowledged as the Sandworm group, was behind a three-years-long operation.
Through this operation, the threat actors have breached the internal networks of various French entities operating the Centreon IT monitoring software. However, ANSSI has not been able to discover how the servers were compromised.
According to the report, it is not yet clear if the threat actors have exploited a vulnerability in the displayed Centreon software or a supply chain negotiated the victims.
Hackers deployed Backdoors on hacked servers
After investigating the compromised servers on the networks, ANSSI determined that the threat actors have used Exaramel and PAS web shell backdoors.
To attack the victims in their networks, the threat actors targeted the Centreon IT monitoring software. But, the customer list of Centreon involves various high-profile organizations.
The organizations that were involved are Airbus, Air France KLM, Orange, Agence France-Presse (AFP), Euronews, Arcelor Mittal, Sephora, and even the French Ministry of Justice.
Moreover, ANSSI also asserted that the command and control infrastructure utilized by the attackers to control malware approaching on victims’ compromised machines, and that are known as being Sandworm-controlled servers.
The compromise vector is still unknown
Apart from all these things, ANSSI has not been able to discover how the servers were negotiated, that’s why it is not cleared yet if the attackers have utilized a vulnerability in the displayed Centreon software or the victims were negotiated through a supply chain attack.
However, ANSSI presents the IOCs and Yara rules for the administrators who need to examine their systems for the signs of intrusion.
While the most recent version that is available for installation is studied by ANSSI was 2.5.2. Not only that even the security experts also claimed that the threat actors of the Sandworm group are behind the NotPetya ransomware that has caused billions worth of damage to numerous businesses around the globe.
The experts have pronounced that Sandworm is an elite Russian-backed cyberespionage group, and it is active since the mid-2000. And all its members were believed to be military threat actors part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
That’s why the agency has published a set of recommendations for all the organizations to increase the bar for Sandworm and other APT groups. All these include advanced patch management, server hardening, and limiting the exposure of monitoring systems.