Publicly blaming the infamous Sandworm APT group for a campaign of long-term hacking attacks against numerous IT and web hosting shops in Europe, the French National Department for the Protection of Information Systems (ANSSI).
The data compromises date back to 2017, according to a technical advisory issued by ANSSI, and include the eyebrow-raising compromise of Centreon, an IT tracking software vendor commonly embedded in government agencies in France.
The organization did not say that the Centreon breach was part of a supply chain attack, but the decision to publicly name the Sandworm attackers sparks new discussions in high-profile APT attacks about the group’s past supply chain tech targeting.
The Sandworm squad has been linked by reported analysis to a government-backed Russian APT organization linked to separate attacks against Ukrainian targets in 2015 and 2017 and the 2018 Winter Olympics opening ceremony cyberattack.
A comprehensive technical report on the Centreon hack, which attacked Linux servers running the CentOS operating system, was published by the French department. “While the initial method of compromise remains unknown, AANSI said that the attackers deployed two backdoors and “has several parallels with previous Sandworm modus operandi campaigns.
The Organization also discovered that established Sandworm-controlled servers for the four-year-old penetration of French and European institutions were being used as part of the command-and-control infrastructure.
In general, the Sandworm intrusion set is known to execute consequent intrusion campaigns before settling on particular objectives within the victim pool that suit its strategic interests. This conduct suits the campaign witnessed by ANSSI,’ said the department.
The study details the use of public and commercial VPN systems inside Sandworm’s arsenal to engage with the backdoors, naming many legal resources and providers.
AANSI has published a separate paper with the rules of SNORT and YARA and other compromise indicators (IOCs) to help danger hunters check for signs of sandworm activity.
A collection of guidelines for organisations to lift the bar for Sandworm and other APT classes have also been released by the department. These include better patch handling, hardening of servers, and limiting monitoring systems’ visibility.
Monitoring devices such as Centreon need to be strongly interconnected with the information system tracked and are thus a prime target for lateralization-seeking intrusion sets,” the agency added.”
“It is recommended not to expose the web interfaces of these tools to the Internet, or to restrict such access by means of non-application authentication (TLS client certificate, web server basic authentication).”
