ANSSI, the French cyber security agency, has ravealed how hackers working for Russia’s GRU targeted an IT monitoring software provided by Centreon to infect a large number of IT companies, web hosting providers, and other organisations between 2017 and 2020.
By targeting the Centreon IT monitoring software, hackers associated with Sandworm, which is another name for the GRU’s Main Centre for Specialist Technologies (GTsST), were able to gain access to the IT systems of a large number of organisations that used Centreon products to monitor the functioning of their IT assets distributed worldwide.
ANSSI said in a security advisory this week that on compromised systems, it observe the presence of “a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet.” Aside from the P.A.S. webshell, version number 3.1.4 backdoor, ANSSI also discovered another backdoor named Exaramel on the affected servers.
Headquartered in Paris, Centreon is a leading provider of IT monitoring software to organisations of all sizes worldwide, offering software solutions to companies in sectors such as financial services and insurance, industry, utilities, telecommunications, retail, transportation and logistics, Tourism, media and government.
Centreon’s customers include the likes of Airbus, Air Caraïbes, AP-HP, Bosch Automotive Products China, BT, CGI, Encevo, FM Logistic, Genuine Parts Company, Groupama, Kuehne + Nagel USA, Luxottica, Ministère de la Justice français, New Zealand Police, Objectif Lune, Opticomm, Pixagility, PWC Russia, Salomon, Sanofi, Sephora, Sky Italia, Urgences Santé Qc, Viking Cruises, XR Trading, ZF Friedrichshafen AG.
As per its latest announcements, Centreon has approximately 720 corporate customers worldwide. In October last year, the company also began operating in the UK and Ireland to tap into the region’s booming IT operations market which is expected to touch $3.4 billion by 2024.
In its advisory, ANSSI said Sandworm used public and private VPN services and various anonymisation tools to connect to the two backdoors and used a dedicated command and control infrastructure since 2017 to target the Centreon IT monitoring platform. The activities observed by security firm ESET and ANSSI were consistent with previous campaigns conducted by Sandworm to target European organisations.
Recently, the European Council imposed a travel ban and an asset freeze on two operatives of Russia’s GRU as well as on hacker group Fancy Bear or APT28 for conducting a cyber attack on Germany’s Parliament in 2015.
The European Council announced the imposition of a travel ban and an asset freeze on Admiral Igor Kostyukov, the head of the Main Directorate of the General Staff of Russia’s armed forces and Dmitry Badin, a military intelligence officer attached to the Russian army’s 85th Main Centre for Special Services, also known as GTsSS.
As a member of GTsSS (Sandworm), Dmitry Badin was also part of a team of Russian military intelligence officers who carried out the cyber attacks targeting the German Parliament in 2015. He is also a wanted man in the United States for attempting to influence the outcome of the 2016 US presidential elections and for targeting the servers of the World Anti-Doping Agency.
According to British Foreign Secretary Dominic Raab, the GRU’s Main Centre for Specialist Technologies (GTsST), also known as Sandworm and VoodooBear, targeted the 2018 Winter Games hosted by South Korea as well as the 2020 Tokyo Olympics.
His statement was based on the NCSC’s assessment that GRU targeted the opening ceremony of the 2018 Winter Games by disguising itself as North Korean and Chinese hackers and attempted to sabotage the Winter Olympic and Paralympic Games by deploying malware designed to wipe data from and disable computers and networks.