Russian Sandworm Hackers Only Hit Orgs With Old Centreon Software

Centreon, the maker of the IT monitoring software exploited by Russian state hackers to infiltrate French companies’ networks, said today that only organizations using obsolete software were compromised.

Today’s Centreon press release comes after a report released on Monday by ANSSI, the French national cyber-security agency, describing a series of attacks that resulted in multiple French IT providers getting breached over four years.

ANSSI said that the first victim was compromised in late 2017, with the attackers continuing to target French information technology providers until 2020.

As revealed by ANSSI, all compromised servers during this series of attacks ran Centreon’s IT monitoring software. Still, the agency didn’t find the vector used to hack the victims’ servers and deploy Exaramel and PAS web shell (aka Fobushell) backdoors.

Also Read: What Is A Governance Framework? The Importance And How It Works

Not a supply-chain attack

Following ANSSI’s report, Centreon says that none of its customers were impacted by the attacks. The affected organizations used an obsolete and free version of its software released in 2014.

Centreon added that, since the outdated version was published, it has released eight more major versions.

“According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years,” Centreon said.

“The campaign described by ANSSI exclusively concerns obsolete versions of Centreon’s open source software. Indeed, the ANSSI specifies that the most recent version concerned by this campaign is version 2.5.2, released in November 2014.

“This version is not only no longer supported for more than 5 years, but has apparently also been deployed without respect for the security of servers and networks, including connections outside the entities concerned.”

The company also added that this was not a supply-chain attack, with the Russian hackers not using its IT platform to deliver malicious code onto Centreon customers’ servers.

“The ANSSI report and our exchanges with them confirm that Centreon did not distribute or contribute to propagate malicious code,” Centreon added. “This is not a supply chain type attack and no parallel with other attacks of this type can be made in this case.”

Centreon’s customer list includes high-profile organizations such as Airbus, Air France KLM, Agence France-Presse (AFP), Euronews, Orange, Arcelor Mittal, Sephora, and several French government orgs including the French Ministry of Justice.

Also Read: Website Ownership Laws: Your Rights And What These Protect

Sandworm APT linked to the attacks

The French cyber-security agency found several similarities to previous Sandworm attacks, including the launch of intrusion campaigns before choosing victims for further compromise.

ANSSI added that the command and control servers used to control malware deployed on the French victims’ compromised machines were also known as Sandworm-controlled machines.

Sandworm (aka BlackEnergy and TeleBots) is an elite Russian-sponsored cyberespionage group active for at least two decades, with members believed to be part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

This group is linked to the attacks leading to the Ukrainian blackouts of 2015 and 2016 [1, 2, 3], the KillDisk wiper attacks targeting Ukrainian banks, and believed to have also created the NotPetya ransomware that led to billions worth of damage starting with June 2017.

The U.S. Justice Department charged six Sandworm operatives in October 2020 for hacking operations related to the NotPetya ransomware attack, the Pyeongchang Winter Olympics, and the 2017 French elections.