As the U.S. continues to chart the damage from the sweeping “SolarWinds” hack, France has announced that it too has suffered a large supply chain cyberattack. The news comes via a recently released technical report published by the Agence Nationale de la sécurité des systèmes d’information—or simply ANSSI—the French government’s chief cybersecurity agency. Like the U.S., French authorities have implied that Russia is probably involved.
According to ANSSI, a sophisticated hacker group has successfully penetrated the Centreon Systems products, a French IT firm specializing in network and system monitoring that is used by many French government agencies, as well as some of the nation’s biggest companies (Air France, among others). Centreon’s client page shows that it partners with the French Department of Justice, Ecole Polytechnique, and regional public agencies, as well as some of the nation’s largest agri-food production firms.
While ANSSI did not officially attribute the hack to any organization, the agency says the techniques used bear similarities to those of the Russian military hacker group “Sandworm” (also known as Unit 74455). The intrusion campaign, which dates back at least to 2017, allowed the hackers to breach the systems of a number of French organizations, though ANSSI has declined to name the victims or say how many were affected.
While it is unclear from the report just how the hackers initially compromised Centreon, the report shows that, once inside, they used webshells to further their intrusion campaigns. Webshells are malicious scripts that allow a bad actor to remotely hijack a website or system and control it.
In Centreon’s case, the hackers used two different scripts, P.A.S. and Exaramel. Both acted as back doors that could allow the hacker to gain control of a website or system and control it remotely: “On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet,” the agency wrote. When used together, the scripts allowed a hacker total control over a compromised system.
The report also notes that the Examarel backdoor is identical to the one used in a different Sandworm campaign, and which had been previously identified by the French security firm ESET:
[ESET] noted the similarities between this backdoor and Industroyer that was used by the intrusion set TeleBots, also known as Sandworm . Even if this tool can be easily reused, the Command and Control infrastructure was known by ANSSI to be controlled by the intrusion set. Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSI fits this behaviour.
Sandworm has gained notoriety over the years both for its criminal activity and its political meddling. Last October, half a dozen Russian intelligence officers were indicted by the U.S. Department of Justice for their role in the hacker group’s crimes, including attempted interference in the 2017 French elections, “nearly one billion USD in losses” from ransomware attacks on American businesses, and attempts to hack the 2018 Olympics hosted in Pyeongchang.
While the scope and purpose of the “Centreon” campaign aren’t made clear in the ANSSI report, the parallels between it and the SolarWinds supply chain hack in the U.S. are clear. The bottom line? Third-party vendors pose immense security risks to large bureaucracies and corporate bodies. The question of how to effectively patch that institutional vulnerability, meanwhile, is yet to be satisfactorily answered.