Cybersecurity Provider ‘Stormshield’ Hacked by Sophisticated Actors

• French cybersecurity solutions provider ‘Stormshield’ suffered a security and data breach.
• The actors accessed customer portal data and also exfiltrated parts of product source code.
• The firm has taken all possible precautionary measures and is now carrying out an investigation.

‘Stormshield’ has announced a security incident that has resulted in unauthorized access to its technical portal, exposing the support tickets submitted by their customers and partners. These tickets, unfortunately, also involved sensitive personal and technical data.

The French company and subsidiary of Airbus has responded by notifying the country’s authorities and also reset all user passwords out of precaution. The customers who have been affected by this incident should have already received a personal notification, while additional preventive measures on Stormshield’s customer portal have been placed.

The cybersecurity solutions and software provider launched an investigation to figure out what was compromised, and they found that some parts of the SNS (Stormshield Network Security) product source code were leaked out. However, the firm assures the public that there’s no evidence of code modification that could have gone downstream to clients, so the possibility for a catastrophic supply chain attack has been ruled out for now.

The SNS trusted certificates have been revoked now, and the firm replaced them with new ones. This is to prevent the chances of having malicious updates planting backdoors onto the systems of clients. Considering that the firm's clientele includes the French state, among other high profile EU-based companies, applying all precautions that make sense is crucial. France’s National Information Systems Security Agency has also published a relevant advisory, urging all Stormshield product users to take the appropriate measures now.

We have seen no signs of the source code leaking on the dark web yet, and it’s quite likely that we won’t see this happening any time soon. This attack appears to be the work of highly sophisticated, possibly state-supported actors, as the targeting goes to the utmost level. These hackers aren't interested in selling stuff on the dark web, as their motives are to collect information, not make money.

At the moment, Stormshield keeps all its systems up and running, so the customers shouldn’t experience any disruptions. As a spokesperson stated, only about 2% of customer accounts were affected by this incident, which accounts for about 200 in absolute numbers. That’s still significant when we’re talking about government accounts, but since we’re too early in the investigation process, we can’t determine this event's significance just yet.