French version: 🇫🇷


ANSSI has been informed of an intrusion campaign targeting the monitoring software Centreon distributed by the French company CENTREON which resulted in the breach of several French entities.

The first victim seems to have been compromised from late 2017. The campaign lasted until 2020.

This campaign mostly affected information technology providers, especially web hosting providers.

On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. This backdoor was identified as being the P.A.S. webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel.

This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm.

This report provides technical information detailing this campaign: targeted systems (Section 1), detailed malwares code analysis (Section 2), infrastructure (Section 3), tactics, techniques, and procedures (Section 4) and link with the intrusion set Sandworm (Section 4). Recommandations (Section 6) and detection methods (Section 7) are suggested to better protect against this kind of attack and remediate eventual compromissions.

Indicators of compromise are available in structured formats on the page CERTFR-2021-IOC-002.