France Ties Russia’s Sandworm to a Multiyear Hacking Spree

The Russian military hackers known as Sandworm, responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history, don’t have a reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT monitoring tool called Centreon—and appear to have gotten away with it undetected for as long as three years.

On Monday, the French information security agency ANSSI published an advisory warning that hackers with links to Sandworm, a group within Russia’s GRU military intelligence agency, had breached several French organizations. The agency describes those victims as “mostly” IT firms and particularly web hosting companies. Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris.

Though ANSSI says it hasn’t been able to identify how those servers were hacked, it found on them two different pieces of malware: one publicly available backdoor called PAS, and another known as Exaramel, which Slovakian cybersecurity firm ESET has spotted Sandworm using in previous intrusions. While hacking groups do reuse each other’s malware—sometimes intentionally to mislead investigators—the French agency also says it’s seen overlap in command and control servers used in the Centreon hacking campaign and previous Sandworm hacking incidents.

Though it’s far from clear what Sandworm’s hackers might have intended in the years-long French hacking campaign, any Sandworm intrusion raises alarms among those who have seen the results of the group’s past work. “Sandworm is linked with destructive ops,” says Joe Slowik, a researcher for security firm DomainTools who has tracked Sandworm’s activities for years, including an attack on the Ukrainian power grid where an early variant of Sandworm’s Exaramel backdoor appeared. “Even though there’s no known endgame linked to this campaign documented by the French authorities, the fact that it’s taking place is concerning, because the end goal of most Sandworm operations is to cause some noticeable disruptive effect. We should be paying attention.”

ANSSI didn’t identify the victims of the hacking campaign. But a page of Centreon’s website lists customers including telecom providers Orange and OptiComm, IT consulting firm CGI, defense and aerospace firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France KLM, logistics firm Kuehne + Nagel, nuclear power firm EDF, and the French Department of Justice. It’s unclear which if any of those customers had servers running Centreon exposed to the internet.

“It is in any case not proven at this stage that the identified vulnerability concerns a commercial version provided by Centreon over the period in question,” Centreon said in an emailed statement, adding that it regularly releases security updates. “We are not in a position to specify at this stage, a few minutes after the publication of the ANSSI document, whether the vulnerabilities pointed out by the ANSSI have been the subject of one of these patches.” ANSSI declined to comment beyond the initial advisory.

Some in the cybersecurity industry immediately interpreted the ANSSI report to suggest another software supply chain attack of the kind carried out against SolarWinds. In a vast hacking campaign revealed late last year, Russian hackers altered that firm’s IT monitoring application and it used to penetrate a still-unknown number of networks that includes at least half a dozen US federal agencies.

But ANSSI’s report doesn’t mention a supply chain compromise, and DomainTools’ Slowik says the intrusions instead appear to have been carried out simply by exploiting internet-facing servers running Centreon’s software inside the victims’ networks. He points out that this would align with another warning about Sandworm that the NSA published in May of last year: The intelligence agency warned Sandworm was hacking internet-facing machines running the Exim email client, which runs on Linux servers. Given that Centreon’s software runs on CentOS, which is also Linux-based, the two advisories point to similar behavior during the same timeframe. “Both of these campaigns in parallel, during some of the same period of time, were being used to identify externally facing, vulnerable servers that happened to be running Linux for initial access or movement within victim networks,” Slowik says. (In contrast with Sandworm, which has been widely identified as part of the GRU, the SolarWinds attacks have also yet to be definitively linked to any specific intelligence agency, though security firms and the US intelligence community have attributed the hacking campaign to the Russian government.)