Breach, Content

Sandworm Hackers Exploit Centreon IT Monitoring Software Tool


Russian hacker group Sandworm allegedly launched a cyber intrusion campaign targeting IT monitoring software tool Centreon, according to the French National Agency for the Security of Information Systems (ANSSI).

The campaign was used to attack multiple French entities between 2017 and 2020 and primarily affected information technology service providers (ITSPs). Still, Centreon said that none of its customers were affected by a hacking campaign, Reuters reports.

ANSSI discovered a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. It also identified another backdoor identical to one previously found by antivirus software company ESET.

Centreon's software can be used designed to monitor all equipment, middleware and applications -- spanning on-premise legacy assets to private and public cloud environments, and the network edge, the company's website indicates.

US Department of Justice Issues Charges Against Sandworm Hackers

ANSSI's discovery comes after the U.S. Department of Justice (DOJ) in October 2020 charged six Sandworm hackers in connection with the worldwide deployment of destructive malware.

DOJ charged the hackers in connection to several global cyberattacks, including:

  • PyeongChang Winter Olympics: Involved spear phishing campaigns and malicious mobile applications to target South Korean citizens and officials, Olympic athletes, partners and others during the PyeongChang Winter Olympics in 2018
  • NotPetya: Involved malware attacks that took place in 2017 and caused billions of dollars in losses for organizations around the world
  • French Elections: Involved spear phishing campaigns against French government agencies prior to the country's 2017 elections
  • Ukrainian Government & Critical Infrastructure: Involved malware attacks to shut down Ukraine's electric power grid, Ministry of Finance and State Treasury Service from December 2015 through December 2016

Along with the DOJ's charges against Sandworm hackers, the National Security Agency (NSA) in June 2020 issued a cybersecurity warning following the discovery of Sandworm attacks on email servers that may have originally begun in August 2019.

Sandworm hackers had been exploiting a vulnerability (CVE-2019-10149) in Exim mail transfer agent (MTA) software. NSA recommended security administrators use file integrity monitoring software to guard against this vulnerability.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.