"France Ties Russia's Sandworm to a Multiyear Hacking Spree"

The French information security agency ANSSI recently published an advisory warning about Sandworm, a group of hackers within Russia's GRU military intelligence agency. This group has been linked to blackouts in Ukraine as well as NotPetya, which is considered the most destructive malware in history. According to the advisory, Sandworm's hackers have breached several French organizations, most of which are IT providers, particularly web hosting providers. ANSSI says the intrusion campaign began in late 2017 and ran until 2020. The hackers appear to have breached servers running the IT monitoring tool called Centreon. The way in which these servers were hacked remains unknown. However, ANSSI found two different pieces of malware on the servers, one of which is the publicly available backdoor called PAS. The other backdoor is known as Exaramel. Joe Slowik, a researcher with the security firm DomainTools, says that the Sandworm group is linked with destructive operations. Although the endgame linked to the campaign documented by the French authorities is not known, the fact that it is occurring should raise serious concern as the end goal of most of Sandworm's operations, has been to cause significant disruptions. ANSSI did not identify those organizations that have fallen victim to the hacking campaign. However, Centreon's website does list customers, including the defense and aerospace firm Thales, the steel and mining firm ArcelorMittal, the nuclear power firm EDF, Airbus, and the French Department of Justice. Any of these customers could have had servers running Centreon exposed to the internet. Some cybersecurity experts interpreted the ANSSI report as suggesting another software supply chain attack similar to the one launched against SolarWinds, though the report does not mention supply chain compromise. DomainTools' Slowik pointed out that the intrusions were carried out by exploiting internet-facing servers running Centreon's IT monitoring application within victims' networks. This article continues to discuss ANSSI's warning about the Sandworm hacker group's targeting of French organizations and the history of Sandworm. 

Wired reports "France Ties Russia's Sandworm to a Multiyear Hacking Spree"