Russian State-Sponsored Hackers Hit French Entities via ‘Centreon’

• Russian hackers of the APT28 group have been linked with a lengthy operation against French entities.
• The actors exploited a flaw in CentOS 2.5.2 and planted web shell backdoors through ‘Centreon’ monitoring solutions.
• This does not appear to be related to the recent Stormshield compromise, and it’s different from the SolarWinds attacks.

A new large-scale intrusion campaign has been discovered in France, involving Russian state-sponsored hackers who have reportedly planted web shell backdoors through ‘Centreon’ IT monitoring tools. The relevant announcement comes from the French cyber-security watchdog, ANSSI, who claims that the campaign lasted between late 2017 and sometime in 2020, so it was quite a lengthy one.

Because Centreon is a French firm, the intrusion mostly affects French companies such as Airbus and the Ministère de la Justice. However, others such as the New Zealand Police, Sanofi, Luxottica, and Kuehne + Nagel use the tool. In total, Centreon has about 600 enterprise clients worldwide, so this is a serious and far-reaching security incident.

ANSSI performed scans to figure out more about the threat and found that there are two distinct web shells used, namely “Exaramel” and “PAS.” Also, there are clear signs that this operation was part of the “Sandworm” operation, which was launched by the Russian hacking group known as “Fancy Bear” (APT28). The webshells gave intruders the ability to brute-force user passwords for SSH operations, access and edit SQL databases, run arbitrary PHP commands, and more.

The compromised servers ran the CentOS Linux operating system version 2.5.2, which Red Hat terminated as a project in December 2020. Users are advised to update their OS and their IT monitoring tools to the latest versions available on the official channels. CentOS’s spiritual continuator is now the Rocky Linux, which is essentially a forked clone of the CentOS distribution.

To clarify, this is not a supply chain compromise like in the case of SolarWinds, but an exploit of the software via a zero-day flaw. This is why updating should plug the hole that was exploited between 2017 and 2020. Also, we do not believe that this is in any way related to the recently-disclosed breach on ‘Stormshield,’ the French cybersecurity services provider.

APT28 has been very active between 2017 and 2020, and even though the U.S. Department of Justice has identified six members of the group last October, none of them have been arrested thus far. According to the FBI, “Fancy Bear” was responsible for hacks against “La République En Marche!” political party and the French government, malware attacks against FedEx, the 2018 PyeongChang Winter Olympic Games, the Tokyo Summer Olympics, and investigators of the “Novichok Poisoning” incident in the U.K.