Russia-linked state-sponsored threat actor known as Sandworm has been linked to a three-year-long stealthy operation to hack targets by exploiting an IT monitoring tool called Centreon.
The intrusion campaign — which breached “several French entities” — is said to have started in late 2017 and lasted until 2020, with the attacks particularly impacting web-hosting providers, said the French information security agency ANSSI in an advisory.
“On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet,” the agency said on Monday. “This backdoor was identified as being the PAS webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel.”
The Russian hacker group (also called APT28, TeleBots, Voodoo Bear, or Iron Viking) is said to be behind some of the most devastating cyber-attacks in past years, including that of Ukraine’s power grid in 2016, the NotPetya ransomware outbreak of 2017, and the Pyeongchang Winter Olympics in 2018.
While the initial attack vector seems unknown as yet, the compromise of victim networks was tied to Centreon, an application, and network monitoring software developed by a French company of the same name.
images from Hacker News