Several French companies or institutions have been affected in recent years by a computer intrusion via the French software Centreon, with a technique reminiscent of "Sandworm", the origin of which is attributed to Russian hackers.
The Anssi, the guardian of the French computer security, revealed Monday evening these intrusions in a technical information note intended for the persons in charge of the computer security.
"The first compromises identified by Anssi date from the end of 2017 and continued until 2020," Anssi said in its note.
The Anssi established that the attack had "many similarities to previous campaigns of the Sandworm modus operandi", generally attributed to Russian military intelligence.
But it does not explicitly accuse Russia, in accordance with its practice, of limiting itself to the technical expertise of the attacks.
The award is a political decision, which cannot be made solely on technical criteria which may be misleading.
The cyberattack "recalls the methods that have already been used by the Russian intelligence group Sandworm, but that does not guarantee that it is him", reminded AFP the cybersecurity specialist from the consulting firm Wavestone Gérome Billois.
The duration of the attack before being discovered in any case suggests attackers "extremely discreet, rather known to be in the logic of theft of data and intelligence", he added.
For its part, Centreon said "to have taken note of the information published by Anssi this evening, at the time of the publication of the report, which would concern facts initiated in 2017, or even in 2015".
"We are making every effort to take the exact measure of the technical information in this publication," she added.
Used by many companies (Airbus, Air France, Bolloré, EDF, Orange and even Total) and by the Ministry of Justice, Centreon software is used to monitor applications and computer networks.
- Customers affected by rebound -
According to Anssi, the campaign "mainly affected IT service providers, especially web hosting".
But it could also have affected large groups and institutions.
"It is possible that customers of these providers have been affected by rebound," said Loïc Guezo, general secretary of Clusif, an association of French cybersecurity specialists.
In general, it is "exceptional" that Anssi publishes such a note, he stressed.
According to him, the note is clearly the result of a long investigation work in compromised French companies, and of reconciliations with previous cases publicly revealed several years ago, he said.
In principle, the case recalls the vast cyberattack attributed to Russia and which targeted the United States in 2020, via the compromise of another supervision software, Solar Winds, developed by a company in Texas, and used by tens of thousands of businesses around the world.
“The monitoring tools that we put in our information system are often targets for cybercriminals because they allow access to a lot of data,” explained Gérôme Billois.
“They are known to be attack amplification tools,” he added.
In the United States, the cyberattack via SolarWinds notably affected the State Department, the Treasury, Homeland Security and the National Institutes of Health.
Contacted Monday evening, the Ministry of Justice and other French companies did not make immediate comment.
© 2021 AFP