Jürgen Fälchle - stock.adobe.c

Security firm Stormshield loses source code in cyber attack

Source code from two products developed by French cyber security firm was compromised in a December 2020 incident

France-based cyber security firm Stormshield has revealed a leak of source code from its Stormshield Network Security and Network Security Industrial Firewall products following a cyber attack that saw malicious actors gain unauthorised access to a technical portal used by customers and partners to manage tech support tickets.

The incident, understood to have occurred in December 2020, also saw the personal data and technical exchanges associated with a number of customer accounts accessed and viewed, and possibly stolen. All the affected users have already been contacted.

The firm has also notified the French authorities, reset all its account passwords, and strengthened security across its support portal. It has also shored up security on its Stormshield Institute portal, which customers use to access training courses.

Stormshield is also replacing all certificates on the SNS product and has made updates available to customers and partners so that their installations can continue to work.

“Companies like Stormshield, that provide cyber security solutions against the explosion of cyber threats, would appear to be a new target for highly prepared and experienced attackers,” the firm said in a statement. “We will continue to bring visibility on this incident, depending on the elements that we are able to communicate.”

Contacted by Computer Weekly’s sister title LeMagIT, Stormshield CEO Pierre-Yves Hentzen said the firm’s investigation had identified several advanced techniques used in the attack, suggesting it was targeted and had been carefully prepared. He said only 2% of customer accounts were affected in the incident – 200 out of more than 10,000.

To date, the forensic investigation has uncovered no trace of any modification to the SNS source code, he added.

France’s Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) confirmed it was working alongside Stormshield to address the two linked incidents.

“It is essential that each customer conducts an impact analysis accordingly, and although the incident has no immediate operational impact for its customers, Stormshield has published an update that we recommend you apply as a precaution,” the agency said.

“Moreover, for the duration of the investigations and also as a precautionary measure, ANSSI has decided to place the qualifications and approvals of SNS and SNI products under observation.”

Read more about attacks on security firms

  • Investigators at SolarWinds are exploring multiple theories as to how the company’s systems were compromised.
  • Mimecast’s investigation into a January 2021 breach of its systems turns up evidence that the culprit was the same group that targeted SolarWinds in December.
  • SonicWall’s internal systems were breached, and the company is investigating its Secure Mobile Access (SMA) 100 series, a remote access product for SMBs, as a possible vector.

Stormshield is the latest in a string of cyber security companies to have been compromised in a chain of incidents.

Also, as a major supplier of security products and services to the French government, this attack raises the possibility that the intrusion may have been part of a wider cyber espionage campaign, although this is unconfirmed.

Comparitech’s Paul Bischoff said this was certainly a possibility that needed to be considered. “Given this was an attack on a government security system and hackers inspected source code, it does not appear to be your typical data thieves looking for low-hanging fruit. The attack could have well been state-sponsored,” he told Computer Weekly in emailed comments.

“All cyber attacks are concerning, but those against cyber security companies are particularly worrying. This attack will no doubt damage Stormshield’s reputation and future prospects, but time will tell if the French government actually decides to replace Stormshield or stick with it.”

Chris Hauk, consumer privacy champion at Pixel Privacy, added: “Attacks like these are particularly concerning, as they may have originated from state-sponsored bad actors. 

“The fact that the attack was against a group that provides security services and network security devices to the French government, and that the attackers stole parts of the source code used in a firewall product used by the French government, suggests to me that the attack might have been state-sponsored.

“Also, in many cases like this, a hacker group will publicly claim responsibility for the breach. However, so far all well-known groups are staying quiet.”

Read more on Hackers and cybercrime prevention