France’s cybersecurity agency ANSSI on Monday said “several French entities” had been breached, and linked the attacks to a Russian hacker group thought to be behind some of the most devastating cyberattacks in past years.
The agency said it had identified “an intrusion campaign” in which hackers, linked to Russian military intelligence agency GRU, compromised the French software firm Centreon in order to install two pieces of malware into its clients’ networks. The “supply chain attack” is similar to the recently discovered compromise of U.S. business software SolarWinds that breached several U.S. government agencies and many others.
The intrusion campaign started in late 2017 and lasted until 2020, ANSSI said, adding it “mostly affected information technology providers, especially web hosting providers.”
Centreon said in a statement it “has taken note of the information,” adding it is “not proven at this stage that the identified vulnerability concerns a commercial version provided by Centreon over the period in question.”
The company lists Airbus, Air France, Thales, ArcelorMittal, Électricité de France (EDF) and telecoms firm Orange among its clients, as well as the French Ministry of Justice. It’s unclear how many or which organizations were breached via the software hack.
ANSSI said that the campaign “bears several similarities with previous campaigns attributed to the intrusion set named Sandworm,” which “is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool.”
The hacker group Sandworm has been linked to GRU by cybersecurity authorities and experts. The group is thought to be behind some of the most damaging cyberattacks in recent history, including the outbreak of ransomware NotPetya in 2017 and attacks on the Winter Olympics in South Korea.
European diplomats imposed sanctions on several officers of Russia’s intelligence unit linked to Sandworm in relation to the cyberattacks. U.S. authorities also indicted hackers belonging to the same group and said the group was suspected of being behind the 2017 cyberattack on then-presidential candidate Emmanuel Macron’s party La République En Marche.
The public mention of Sandworm by French authorities is rare, since the country has traditionally been hesitant to attribute cyberattacks.