France’s information security agency ANSSI said yesterday that they’d determined a Russian threat actor has been active against French targets from 2017 to 2020. ANSSI didn’t flatly say which group was responsible, but it did note, according to Reuters, that similar tactics, techniques, and procedures had been seen in use by Sandworm, also known as Voodoo Bear, an operation belonging to Russia’s GRU military intelligence service. ANSSI has also made a detailed technical report available: the attackers dropped backdoors as webshells in their targets.
The operation appears to have been another software supply chain attack, with the attackers working their way in through Centreon products used for IT monitoring. ANSSI didn’t say how many victims there had been, but the agency indicated that most of them were IT services firms, “especially web hosting providers.” The similarities to the SolarWinds campaign in the US seem obvious. There’s no informed official conjecture about the campaign’s goals, but WIRED quotes industry experts as observing that Sandworm has a track record of disruption.
A member of South Korea’s parliamentary intelligence committee told Reuters…
