France's national cyber security agency is warning of a series of attacks that targeted French entities running the Centreon IT monitoring software.

Centreon is a software developed by the software vendor Centreon. It is used to monitor applications, networks and systems.

The attacks have been detailed in a new report released by Agence Nationale de la Sécurité des Systèmes d'Information, also known by its French acronym ANSSI. According to the cybersecurity agency, the campaign, which lasted from late 2017 until 2020, mostly affected information technology providers, especially web hosting providers.

ANSSI said it found a backdoor in the form of a webshell installed on several Linux servers running the CentOS operating system exposed to the internet. The backdoor was identified as being the P.A.S. webshell, version number 3.1.4. Additionally, another backdoor known as Exaramel was discovered on the same servers. These malware strains allowed attackers to take full control over the compromised system.

Currently, it is not clear, how the hackers managed to compromise servers in the first place.

The security agency linked these attacks to the Sandworm APT believed to be working on behalf of the Russian government based on some similarities between this campaign and past intrusions conducted by the group.

In the observed campaign the hackers used two infrastructure clusters: common VPN services used to connect to the webshell, and a separate set of command and control servers.

“Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSI fits this behaviour,” the agency said.

ANSSI also provided a separate advisory with SNORT and YARA rules and other indicators of compromise (IOCs) to help cybersecurity professionals detect malicious Sandworm activity.