The claim was made by France's National Agency for the Security of Information Systems (Agence Nationale de la Sécurité des Systèmes d’Information or ANSSI), which linked the attacks to a group known as Sandworm, because of a similar intrusion set.
The agency defined an intrusion set as "the sum of tools, tactics, techniques, procedures and characteristics used by one or more actors within one or more campaigns".
"Generally speaking, the intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool. The campaign observed by ANSSI fits this behaviour," the French agency wrote.
using @lordx64 formula (nrof_engineers = devs * 100) and knowing the P.A.S. webshell was developed just by Profexer, that would suggest it would take ~100 engineers to make it.— Costin Raiu (@craiu) February 16, 2021
The allegations about Sandworm were made by the US Department of Justice in October 2020, with claims that the group comprised six individuals, "all of whom were residents and nationals of the Russian Federation and officers in Unit 74455 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces".
These six men were said to have "engaged in computer intrusions and attacks intended to support Russian Government efforts to undermine, retaliate against, or otherwise destabilise: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian Government-sponsored doping effort".
ANSSI said the attackers used a webshell known as P.A.S. and a backdoor known as Exaramel to attack the systems, which were compromised between late 2017 and 2020, the agency said in a detailed blog post. CENTREON's software, known as Centreon, is used to monitor applications, networks and systems and there are versions for both Windows and Linux.
"On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the Internet," the agency wrote.
"This backdoor was identified as being the P.A.S. webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by [Slovakian security firm] ESET and named Exaramel."
ANSSI said it was not aware of the initial vector for the compromise. The blog post provided detailed breakdowns of how both P.A.S and Exaramel work.
The agency also released a separate document linking to a list of indicators of compromise, a list of Snort rules and a list of YARA rules to help those looking for infections.
"Monitoring systems such as Centreon need to be highly intertwined with the monitored information system and therefore are a prime target for intrusion sets seeking lateralisation," the post said. "It is recommended either not to expose these tools’ Web interfaces to the Internet or to restrict such access using non-applicative authentication (TLS client certificate, basic authentication on the Web server)."