France blames Sandworm, a notorious Russian group, for breach that leveraged IT provider

The incident bears similarites to the espionage campaign that leveraged SolarWinds software to infiultrate U.S. agencies.
Moscow, Russia
Moscow. (Getty Images)

A notorious group of hackers known as Sandworm breached multiple French IT firms and web hosting companies as part of an apparent espionage operation dating back to 2017, France’s national cybersecurity agency said on Monday. 

France’s Agence nationale de la sécurité des systèmes d’information (ANSSI) issued a report detailing how attackers exploited an IT resource monitoring tool called Centreon, built by a company of the same name, to infiltrate other organizations.

While ANSSI did not specifically blame Russia, its report detailed how Sandworm, a hacking group affiliated with the Russian military agency GRU, spent three years from 2017 through 2020 hidden in some networks. The report also did not specify how attackers may have used that access, though security experts told Wired magazine that the group’s mere involvement in such an effort is enough to cause concern. Investigators previously blamed Sandworm for the 2017 NotPetya attack on Ukraine, a 2015 attack on Ukraine’s electricity grid and other destructive incidents. 

The apparent espionage campaign bears similarities to the suspected Russian effort in the U.S. in which hackers used another IT firm, SolarWinds, as a foothold into government networks to gather intelligence from victims including the departments of Treasury, Homeland Security and the U.S. courts system. American officials previously said the SolarWinds breach was “likely Russian in origin” but did not tie the tactics, techniques and procedures to Sandworm. 


The French incident involved a PAS web shell and the Exaramel backdoor trojan, two hacking tools detected by security vendors dating back to 2017 and 2018, respectively. Hackers were successful in some cases because the victim organization had failed to update their systems to the latest version of Centreon, a process that would have scrubbed known security flaws. 

Centreon did not immediately respond to a request for comment on Tuesday. The company on Monday told Wired that it is “not proven at this stage that the identified vulnerability concerns a commercial version provided by Centreon over the period in question.”  

Security specialists also have blamed Russia’s GRU for a hack that forced the French TV station, TV5Monde, off the air in April 2015. In that breach, hackers calling themselves the “Cyber Caliphate,” which supposedly had links to the Islamic State terrorist group, claimed responsibility only for investigators to uncover evidence of Russian involvement. 

The Kremlin has consistently denied any involvement in cyberwarfare or cyber-espionage.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts