Stormshield, one of the leading French cybersecurity firms, has announced it has suffered a cyberattack in which the attackers gained access to its support ticket system and stole some of the source code two of its firewall products.
Stormshield provides cybersecurity solutions such as unified threat management (UTM) firewall devices, secure file management solutions, and endpoint protection solutions to French enterprises, European SMBs, and the French government and military. Some of the solutions provided by Stormshield have the highest security certification from France’s Agence nationale de la sécurité des systèmes d’information (ANSSI).
The security breach is understood to have occurred in December 2020 and saw the attackers gain access to the technical portal used to provide support to customers and partners and manage tech support tickets. Through the portal the attackers were able to access technical exchanges about its products and view personal data and technical information about certain accounts. Around 2% of customer accounts were affected – approximately 200 customers.
When the breach was discovered, a password reset was performed, and further measures were taken to ensure the security of the portal. Affected customers and French authorities have been notified and the French government has been assisting with the investigation.
Further investigation of the incident revealed the hackers accessed some of the source code for the Stormshield Network Security firewall and its Network Security Firewall, although a review of the code confirmed that no alterations had been made and none of the Stormshield products have been compromised. Further details on the nature of the attack will be withheld while the investigation continues.
With access to the source code used by the company’s UTM devices it will be much easier for the hackers to identify flaws and exploit them to gain access to the devices. Stormshield anticipates making significant changes to its source code signing certificate to ensure the integrity of future firmware releases and updates. Stormshield has already made some updates available to its customers to ensure that their products will continue to work with the new certificate.
The Stormshield attack is the latest in a string of attacks on cybersecurity vendors. Conducting attacks on cybersecurity firms may be difficult but the potential rewards are considerable, as they can give the attackers access to the networks of the company’s clients, which often include extremely high value targets such as large enterprises, government agencies, and the military.
The Stormshield attack follows the supply chain attack on SolarWinds, which allowed the hackers to gain access to government agencies and the networks of cybersecurity firms FireEye, Mimecast, and Malwarebytes. SonicWall has also recently confirmed it was attacked through a now-patched zero-day vulnerability. Palo Alto Networks and CrowdStrike have also said they were targeted, although in both cases the attacks were unsuccessful.
These attacks are often sophisticated, labor intensive, and the hackers are highly professional. Given the nature of the attacks, these are conducted by well-resourced, highly skilled threat groups and are most likely state-sponsored.