The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) has linked breaches against multiple French IT firms to the Sandworm hacking group, which has been attributed to Unit 74455 of Russia’s Main Intelligence Directorate (GRU). While the cause of these attacks is still unknown, what is known is that the campaign started in 2017 when the first victim was attacked. The ANSSI was able to discover the two backdoors used by the attackers, which is likely one reason authorities were able to make the association to Sandworm. Based on Sandworm’s previously seen attacks, French authorities were able to determine that the command and control infrastructure was similar to other attacks seen in the past.
Analyst Notes
More of what happened during this 4-year campaign will likely come to light in the coming weeks and months, especially related to the initial compromise. The ANSSI has provided IOCs, Yara rules, and Snort rules for administrators to use freely to help protect and hunt with local hosts. It is recommended that if organizations have the capability to scan files and memory for the presence of the aforementioned web shells, using the Yara rules, organizations should do so. Administrators and security departments should also take time to look at what logs are being collected from hosts and consider if including more diverse log sources can be added to ensure adequate information will be available to incident response investigations whether they are days or months after an attack first started.
References:
/ Campagne d’attaque du mode opératoire Sandworm ciblant des serveurs Centreon – CERT-FR (ssi.gouv.fr)
Yara Rules
Snort Rules
France links Russian Sandworm hackers to hosting provider attacks (bleepingcomputer.com)