The Russia connectionFrench Companies Targeted by Russian Cyberattack between 2017 and 2020
A broad Russian cyberattacks in France was carried out via French software Centreon, which serves large companies and government agencies. The cyberattack resembles Russia’s exploitation of vulnerabilities in SolarWinds to attacks American companies and government agencies. The scope of Russia’s cyberattack in France is still uncertain.
Agence nationale de la sécurité des systèmes d’information (ANSSI), France’s National Cybersecurity Agency, on Monday announced the discovery of a computer intrusion “affecting several French entities.” The breach took advantage of the French software company Centreon, which counts among its clients large companies and France’s Ministry of Justice.
“The first compromises identified by ANSSI date from the end of 2017 and continued until 2020,” ANSSI said in a report which offered presenting technical information related to this attack campaign. The ANSSI said it has established that the attack had “many similarities to previous Sandworm modus operandi campaigns,” which has been attributed to Russian military intelligence.
The ANSSI does not explicitly charge that Russia was behind the Centreon attack, in keeping with the agency’s practice of limiting itself to the technical aspects of the attacks.
The cyberattack “recalls the methods that have already been used by the Russian intelligence group Sandworm, but that does not guarantee that it is [the perpetrator],” cybersecurity specialist Gérome Billois from the consulting firm Wavestone told AFP. The duration of the attack before it was discovered suggests attackers “extremely discreet, in keeping with the logic of theft of data and information,” he added.
On Tuesday, in another twist, Centreon blaming a third-party developer for the vulnerability. “The security breach does not concern a commercial version of Centreon software,” said a spokesperson for Centreon.
The cyberattack would have been active from the end of 2017 to 2020, targeting large companies such as Total and Airbus.
Centreon, after analyzing Monday’s ANSSI report, said that only open source and old versions of its software, versions which needed “an additional module developed by a third-party operator,” could have been compromised. “We do not know what this [third party] module is, but it is not present in the codes and platforms produced by Centreon, and the line of code on which [this third party module] operates has been absent from Centreon solutions since 2015,” the company said.
“It is not commercial users who are affected,” continues Centreon. “For open source users, they must verify that the date of their software is later than 2015. And we urge them to be wary of third-party integrators,” Centreon said.
The company said that the free version of Centreon is used on about “200,000 workstations,” and that the commercial version is used by “720 clients.”
Companies using Centreon software have so far refused news media requests for comments on the impact the breach had on their operations, if any.
Analysts note that the case recalls the broad 2020 Russian cyberattack which targeted American companies and government agencies by compromising another monitoring software, SolarWinds, which is used by tens of thousands of businesses around the world. “The monitoring tools that we put in our information system are often targets for cybercriminals because they allow access to a lot of data,” explained Billois. “They are known to be attack-amplification tools,” he added.
