SonicWall Firewall Backups Stolen by Nation-State Actor

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.The network security vendor said the MySonicWall breach was unrelated to the recent wave of Akira ransomware attacks targeting the company's devices.November 6, 2025The recent breach of a SonicWall cloud backup service in which attackers stole firewall configuration files was the work of a unnamed nation-state threat actor.In September, SonicWall disclosed that a threat actor had breached a cloud environment for the MySonicWall backup service devoted to the company's firewalls. At the time, the network security vendor said the breach stemmed from "a series of brute force attacks" and the threat actor accessed firewall configuration data for fewer than 5% of SonicWall customers.However, last month SonicWall acknowledged that the breach was worse than the company initially thought. An incident response investigation conducted with Google Cloud's Mandiant revealed that the attackers had in fact "accessed firewall configuration backup files for all customers who have used SonicWall's cloud backup service."In a blog post this week, SonicWall closed the book on the investigation, though some questions about the attack remain. "The Mandiant investigation is now complete," the company said in a blog post. "Their findings confirm that the malicious activity — carried out by a state-sponsored threat actor — was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call." Related:Nikkei Suffers Breach Via Slack CompromiseSonicWall said the breach "is unrelated to ongoing global Akira ransomware attacks on firewalls and other edge devices." The ransomware gang has been targeting SonicWall VPNs for several weeks. However, it's unclear who the nation-state actors are, and how they breached the cloud backup service.In a video that accompanied the blog post, SonicWall president and CEO Bob VanKirk said the intrusion was limited to the company's firewall cloud backup service, where firewall configuration data is stored "in a specific cloud bucket.""There was no impact to any SonicWall product, firmware, source code, or production network, or to any customer data or other SonicWall system," VanKirk said. While SonicWall said the breach stemmed from an API call, the company did not specify which API the attackers abused and how they accomplished it. It's unclear if the API lacked authentication, if a key was exposed, or if the state-sponsored threat actors compromised the API through a vulnerability or other means. Dark Reading asked SonicWall several questions regarding the API but the company did not address them. However, a SonicWall spokesperson tells Dark Reading that the attack vector was "immediately mitigated" and confirmed by Mandiant. Related:Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy WonksThe spokesperson also says that SonicWall and Mandiant found no evidence that the stolen backup firewall data has been used by threat actors.The SonicWall breach is the latest example of attackers leveraging APIs for malicious activity. Experts have warned about the growing number of exposed secrets like API keys, which threat actors can obtain from code repositories, development tools, and other resources. Additionally, attackers can access APIs as paying customers and abuse them in ways that companies may not have anticipated. For example, a threat actor used an OpenAI Assistants API for command-and-control (C2) communications for a backdoor that researchers dubbed "SesameOp."Like other edge device manufacturers, SonicWall has emerged as a popular target for a variety of threat actors in recent years, from nation-state actors to cybercrime gangs."SonicWall has taken all current remediation actions recommended by Mandiant and will continue working with Mandiant and other third parties for ongoing hardening of our network and cloud infrastructure," the company said in the blog post. The company added that it launched two security initiatives earlier this year to strengthen its defenses. The first is a broad Secure by Design effort for the company's product line and cloud operations. Second, SonicWall "doubled down on our commitment to a zero-trust architecture framework" to improve internal security practices and infrastructure defenses, VanKirk said. Related:What Makes Ransomware Groups Successful?SonicWall also took the opportunity to tout its results in a recent firewall efficacy test conducted by NetSecOpen. The company proclaimed that it was "the only firewall vendor to achieve a 100% block rate across every test category — public CVEs, private CVEs, malware, and evasion techniques — for the second consecutive year."Despite these results, the pattern of attacks and exploited vulnerabilities against the company's customers in recent years has sparked concern in the cybersecurity industry. For example, some cyber insurance carriers began charging higher premiums for customers with certain products in their technology stacks that they deem higher risk, such as SonicWall edge devices. Rob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. 2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.