News of the SolarWinds data breach, where its software management updates were hacked, rocked the cyber world.
And now comes news from France's National Information Systems Security Agency (ANSSI) that a French software monitoring firm has been under a supply chain attack, undetected for several years.
And just like in the SolarWinds data breach, the top suspect nation-state is Russia.
Supply chain data attack against Centreon
French cyber agency ANSSI says the supply chain attack targeted Centreon, a French software management firm, and it's been going on for years.
"The first compromises identified by ANSSI date from the end of 2017 and continued until 2020. This campaign mainly affected IT service providers, particularly web hosting."
Which companies are we talking about as potential targets, using compromised Centreon updates to get to them? Like the SolarWinds case, the Centreon attack is potentially far-reaching:
Des organisations publiques et des entreprises internationales de toutes tailles et de tous secteurs font confiance à Centreon ; Nous pouvons rajouter comme cible potentiell @AFP @BNPParibas @ArcelorMittal @justice_gouv pic.twitter.com/Zg8KEq7ZbO— Anis Haboubi ₿ Ok CBDC (@HaboubiAnis) February 16, 2021
How did the Centreon supply chain cyberattack work?
ANSSI's alert about the cyberattack against Centreon gives a high-level explanation of how attackers carried out the breach:
"ANSSI has observed the existence of a webshell- type backdoor on the compromised systems, deposited on several Centreon servers exposed on the internet.
This backdoor has been identified as the P.AS webshell in version 3.1.4. On these same systems, ANSSI identified the presence of another backdoor named Exaramel by the publisher ESET."
The French cyber agency also says the Centreon campaign has many similarities to previous campaigns of Sandworm.
The Sandworm Team, also known as Unit 74455, is a Russian cyber military unit of the GRU. Sandworm is believed to be linked to the December 2015 Ukraine power grid cyberattack, the 2017 cyberattacks on Ukraine using the Petya malware, and other attacks.
ANSSI even calls this a Sandworm operating mode attack campaign targeting Centreon servers.
SecureWorld has located helpful resources for your team, relating to this Centreon Sandworm attack:
Indicators of Compromise in multiple formats (English)
Detailed Centreon Sandworm attack counter measures (French)
Related supply chain cybersecurity podcasts
SecureWorld recently hosted two crucial conversations relating to the SolarWinds supply chain attack. Part 1 looks at the impact to the U.S. government and examines nation state cyber-threats. Listen here:
Part 2 examines changes to legal, compliance, and vendor risk management in a post SolarWinds world. Now, a post SolarWinds and post Centreon world: