SonicWall confirmed state-sponsored threat actors breached its MySonicWall cloud backup service, accessing configuration files for all firewalls using the cloud backup feature—significantly expanding the scope beyond the initially reported "under 5%" of customers. Mandiant's completed investigation determined the attack was isolated to unauthorized access of cloud backup files from a specific cloud environment using an API call, with no impact to SonicWall products, firmware, tools, source code, or customer internal networks directly. The incident began surfacing in September when SonicWall urged credential resets after detecting that preference files tied to MySonicWall accounts had been accessed. By October, the company acknowledged that attackers used an API path to pull configuration backups for all firewalls leveraging the cloud backup service. What's concerning: the stolen files contain encrypted credentials and device configurations that state-sponsored actors can leverage to craft bespoke intrusion paths—network topology details, VPN setup information, policy rules, and credential material that aid targeted exploitation of customer environments. Mandiant confirmed the intrusion is unrelated to ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices. The case illustrates how compromise of a security vendor's cloud backup service cascades into systemic risk for thousands of downstream organizations, particularly SMBs and managed service provider customers that depend on SonicWall for perimeter protection. Stolen configurations and encrypted but reusable credential data give nation-state groups a strong foundation for subsequent exploitation of SonicWall-managed edges.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: SonicWall firewall breach demonstrates how compromise of a security vendor's cloud backup service can cascade into systemic risk for thousands of downstream organizations, particularly SMBs and managed service provider customers that depend on SonicWall for perimeter protection. Stolen configurations and credentials can translate into quiet, high-confidence access to internal networks over time. Technical Context: The attack exploited an API path into a specific SonicWall cloud environment to exfiltrate firewall backup files, without touching product source code or customer on-premises devices directly. Encrypted but reusable configuration data, combined with detailed knowledge of network policies and VPN settings, gives state-sponsored actors a strong foundation for subsequent exploitation of SonicWall-managed edges.
⚡Strategic Intelligence Guidance
- Mandate immediate rotation of all SonicWall-related passwords, VPN pre-shared keys, and administrative credentials referenced in firewall configurations retrieved from MySonicWall backups.
- Review firewall management exposure by disabling internet-facing administrative interfaces wherever possible and enforcing MFA for all remaining remote access paths.
- Integrate SonicWall logs and configuration change events into centralized monitoring, enabling quick detection of unauthorized rule modifications or suspicious management activity.
- Engage with SonicWall’s updated device impact and assessment tooling to validate which firewalls were affected and incorporate vendor guidance into broader third-party risk management processes.
Threats
State-sponsored hackersCloud backup data theft
Targets
SonicWall firewall customersMySonicWall cloud backup users
Impact
Data Volume:All firewalls using MySonicWall cloud backup service