The reported threat involves a campaign by the Sandworm intrusion set targeting Centreon systems, as identified by CERT-FR and CIRCL. Sandworm is a well-known advanced persistent threat (APT) group associated with sophisticated cyber espionage and sabotage activities. Centreon is an IT infrastructure monitoring software widely used in enterprise environments, including Linux-based systems. The campaign exploits public-facing applications (MITRE ATT&CK T1190), likely leveraging vulnerabilities or misconfigurations in Centreon's web interface to gain initial access. Post-compromise activities include deploying web shells (T1505.003) for persistent remote control, performing file and directory discovery (T1083) to map the environment, and creating or modifying system processes or Windows services (T1543, T1543.003) to maintain persistence and escalate privileges. The attackers use symmetric and asymmetric cryptography (T1573.001, T1573.002) and encrypted channels (T1573) to secure command and control communications, complicating detection and analysis. Data exfiltration is conducted over these encrypted C2 channels (T1041). The threat targets Linux systems predominantly in Western Europe, with high confidence in the indicators of compromise (IOCs) accuracy. Although the severity is classified as low by CERT-FR, the involvement of a high-profile APT group and the use of advanced techniques indicate a targeted espionage campaign rather than widespread destructive attacks. No known exploits in the wild or patches are currently documented, suggesting either a zero-day or exploitation of configuration weaknesses. The campaign aligns with historical Sandworm tactics, including stealthy infiltration and long-term presence in victim networks.

For European organizations, especially those relying on Centreon for critical infrastructure monitoring, this threat poses significant risks. Successful compromise could allow attackers to manipulate monitoring data, hide malicious activities, and gain deep network visibility, facilitating further lateral movement and espionage. Confidentiality is at risk due to potential exfiltration of sensitive operational data. Integrity may be compromised if attackers alter monitoring outputs or system processes, potentially leading to undetected failures or misinformed incident responses. Availability impact is indirect but possible if attackers disrupt monitoring services or use compromised systems as footholds for broader attacks. Given the targeting of Linux systems and Western Europe, sectors such as energy, telecommunications, government, and critical infrastructure operators are particularly vulnerable. The low severity rating may reflect limited exploitation scope or difficulty in exploitation, but the presence of a sophisticated APT actor underscores the importance of vigilance. The campaign could undermine trust in monitoring solutions and complicate incident detection due to encrypted communications and obfuscation techniques.

Organizations should conduct immediate audits of Centreon deployments, focusing on public-facing interfaces and ensuring they are not exposed unnecessarily to the internet. Implement strict network segmentation to isolate monitoring systems from general user networks and limit administrative access. Apply the principle of least privilege for all Centreon accounts and services. Monitor for indicators of compromise such as unusual web shell files, unexpected system process creations, and anomalous encrypted outbound traffic. Employ endpoint detection and response (EDR) solutions capable of detecting process manipulation and suspicious cryptographic operations. Regularly update and patch Centreon software and underlying operating systems, even though no specific patches are currently documented, to reduce exposure to known vulnerabilities. Use multi-factor authentication (MFA) for all administrative access to Centreon and related infrastructure. Conduct threat hunting exercises focusing on MITRE ATT&CK techniques identified in this campaign. Finally, collaborate with national CERTs and share IOC information to enhance collective defense.