Exposed in a report published by ANSSI, France’s cyber-security agency, the hacking campaign lasted between 2017 and 2020, and targeted companies running Centreon’s primary product, a software package of the same name, used for monitoring IT resources inside large companies.
Hackers, believed to be linked to the Russian government, breached companies running the software and installed malware to perform silent surveillance.
But in a press release today, Centreon said that none of its primary commercial customers were hit in these attacks. Only companies that downloaded the open-source version of the Centreon app, which the company freely provides on its website, were impacted, Centreon said.
“According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years,” the French company said today.
Released in November 2014, Centreon said companies deployed the outdated version “without respect for the security of servers and networks.”
“Since this version, Centreon has released eight major versions,” the company said.
Centreon, who declined to comment yesterday, immediately after the ANSSI report’s release, had to issue a statement to prevent its reputation from being impacted, similar to how companies have started abandoning the SolarWinds Orion IT monitoring platform following news of a major security breach last December.
On its website, Centreon lists customers such as Airbus, Agence France Press, Euronews, Orange, Lacoste, Sephora, ArcelorMittal, Total, SoftBank, Air France KLM, and several French government agencies and city governments.
However, none of these appear to have been attacked, according to Centreon. Furthermore, according to the ANSSI report, the cyber-security agency also said the attackers targeted web hosting companies primarily.
The French cyber-security agency also drew some thin lines between the attacks and a hacking group known as Sandworm, linked last year by the US government to Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army.
The connection between the attacks and Sandworm was the use of Exaramel, a type of multi-platform backdoor trojan that the attackers installed on servers after gaining a foothold via the Centreon software.
Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, also said on Monday that Sandworm was the only group seen using the Exaramel malware described in the ANSSI report, confirming the agency’s report.