Hackers steal StormShield firewall source code in data breach

Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the company's support ticket system and steal source code for Stormshield Network Security firewall software.

StormShield is a French cybersecurity firm that develops UTM (Unified Threat Management) firewall devices, endpoint protection solutions, and secure file management solutions.

StormShield's SNi40 is the only industrial firewall to receive First Level Security Certification (CSPN) from France's Agence nationale de la sécurité des systèmes d'information (ANSSI).

StormShield discloses a data breach

In a new security advisory released today, StormShield disclosed that their technical portal used as a support ticket system had been breached and may have allowed threat actors to review technical exchanges.

"Recently, the Stormshield teams detected a security incident that resulted in an unauthorized access to a technical portal used, in particular, by our customers and partners for the management of their support tickets on our products."

"Personal data and technical exchanges associated with certain accounts may have been consulted. We immediately alerted the account owners on the portal and we notified the French authorities. As a precaution, the passwords of all accounts were reset and we applied additional measures to the portal in order to reinforce its security."

"All the support tickets and technical exchanges in the accounts concerned have been reviewed and the results have been communicated to the customers," StormShield disclosed in the security advisory.

StormShield discovered that threat actors accessed some of the source code for their SNS (Stormshield Network Security) source code during the attack after further investigation. Their investigations do not indicate that the source code has been modified.

"Further investigations in the context of this incident have revealed the leakage of some parts of the SNS (Stormshield Network Security) source code. This information has also been communicated to our customers," StormShield warned its customers.

As the Stormshield Network Security (SNS) firmware powers the company's UTM firewalls, the leak of the company's source code may make it easier for threat actors to find bugs that attackers can use to exploit the devices. This leak is particularly concerning as StormShield SNS devices are commonly used by the French government, defense agencies, and the European SMB market.

To be safe, StormShield anticipates changing the code signing certificate used to ensure the integrity of the SNS (Stormshield Network Security) firmware releases and updates.

After being informed about the attack, ANSSI released a security advisory where they state that they have "decided to place the qualifications and approvals of SNS and SNI products under observation."

BleepingComputer has contacted StormShield with questions about the attack.