French agency reports exploits by hackers of Centreon software

In a report released on 15 February, France’s information security agency, the National Agency for the Security of Information Systems (Agence nationale de la sécurité des systèmes d'information: ANSSI), revealed that hackers had breached networks of “information technology providers, especially web hosting providers” using Centreon network monitoring software between 2017 and 2020. The report alleged that the activity bore the hallmarks of the ‘Sandworm’ intrusion set, credibly linked by the US Department of State to the Russian military’s Main Intelligence Directorate (Glavnoye razvedyvatelnoye upravleniye: GRU).

According to the report, “ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet”. The backdoor “was identified as being the P.A.S. webshell, version number 3.1.4” in addition to a backdoor trojan named ‘Exaramel’ that was first publicly reported by the Slovakian cyber security company ESET in 2018. The report claimed that the two pieces of malware would enable the intruders to fully control a compromised system when used together, but that the initial compromise method was not known.

Despite identifying the intrusion set, ANSSI did not directly attribute the campaign to a specific actor. “Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fit its strategic interests within the victims pool. The campaign observed by ANSSI fits this behaviour,” the report judged.