The French national cybersecurity agency called ANSSI has reported that multiple organization-level hacks shared similarities with other cyberattacks by a group of cybercriminals linked to Russian intelligence. 

The ANSSI, which stands for Agence Nationale de la Sécurité des Systèmes d’Information, reported that hackers had exploited a vulnerability in inspection software sold by French group Centreon, which has several major French corporations clientele including defense group Thales, power group EDF, as well as oil and gas giant Total.  The French Ministry of Justice and city law authorities such as Bordeaux have also listed Centreon clients on the company’s website.

According to the ANSSI reports, the cyberattacks mainly targetted IT services providers, especially the web-hosting providers.

ANSSI had found a backdoor on multiple Centreon servers that allowed the threat actors to get unauthorized access to their organizational networks.

Similarities to the Sandworm hack:

“This campaign integrates several similarities with previous cyberattacks allocated to the intrusion set named Sandworm,” disclosed the report, referring to a group of threat actors suspected to be linked to the Russian military in the report, named “Sandworm Intrusion Set Campaign Targeting Centreon Systems”. It was published on Monday and gave technical particulars about how the threat actors gained illegal access to Centreon’s servers. 

Cybersecurity experts observe that the cyberattack is repeating the tactics and routes already utilized by Sandworm Team connected to the Russian Intelligence but this speculation doesn’t confirm their relation

Since the timeline of the hacks is pretty long, spanning from 2017 to 2020 the threat actors are believed to be extremely tactful and discreet, probably with the aim of thieving sensitive data or spying.

US links SolarWinds hack to Russia:

US  law authorities and intelligence agencies also believe that Russia was the perpetrator of massive the hack that was recently discovered on the US firm SolarWinds, which markets software that is widely utilized in government as well as private sector computers.

In early January, about 18,000 public and private clients of SolarWinds were found vulnerable to the hack.