Sandworm in French software supply chain. DPRK hacked COVID vaccine providers? Iran’s Static Kitten active against UAE targets.
France's information security agency ANSSI said yesterday that they’d determined a Russian threat actor has been active against French targets from 2017 to 2020. ANSSI didn’t flatly say which group was responsible, but it did note, according to Reuters, that similar tactics, techniques, and procedures had been seen in use by Sandworm, also known as Voodoo Bear, an operation belonging to Russia’s GRU military intelligence service. ANSSI has also made a detailed technical report available: the attackers dropped backdoors as webshells in their targets.
The operation appears to have been another software supply chain attack, with the attackers working their way in through Centreon products used for IT monitoring. ANSSI didn’t say how many victims there had been, but the agency indicated that most of them were IT services firms, “especially web hosting providers.” The similarities to the SolarWinds campaign in the US seem obvious. There’s no informed official conjecture about the campaign's goals, but WIRED quotes industry experts as observing that Sandworm has a track record of disruption.
A member of South Korea’s parliamentary intelligence committee told Reuters that he’d been briefed on an attempt by North Korean operators to breach Pfizer and steal information on the company’s COVID-19 vaccine development. The apparent motive was financial—Pyongyang is looking to its criminal revenue stream, not to public health.
Anomali reports a Static Kitten sighting. The Iranian threat group appears to target government agencies in the United Arab Emirates, phishing them with the goal of installing ScreenConnect remote access tools.
Gloss