State Actor Behind SonicWall Cloud Backup Hack
▼ Summary
– Mandiant identified a state-sponsored threat actor as responsible for the SonicWall cloud backup service hack, though the specific nation was not disclosed.
– The breach was limited to unauthorized access of cloud backup files via an API call and is unrelated to Akira ransomware attacks on firewalls and edge devices.
– Attackers used brute-force methods to access the service, compromising all backup files after initially affecting only a small percentage of customers.
– Encrypted credentials and secrets in the files were secure, but non-encrypted information could aid attackers in exploiting related firewalls.
– SonicWall advised affected customers to disable various network access methods and reset passwords, keys, and tokens to enhance security.
Investigators from Mandiant have concluded their analysis of the recent SonicWall cloud backup service intrusion, identifying the responsible party as a state-sponsored threat actor. While the specific country behind the attack was not revealed, the findings point to a sophisticated, nation-state level operation. According to an official statement from SonicWall, the security incident was confined to the unauthorized retrieval of cloud backup files from one particular cloud environment through an API call. The company emphasized that this event is separate from the widespread Akira ransomware campaigns currently targeting firewalls and various edge devices globally.
SonicWall has confirmed that its core products, firmware, internal networks, development tools, source code, and customer infrastructures were not compromised during this breach. The situation came to light in early September 2025 when the security team observed unusual activity involving the downloading of firewall configuration backups. By September 17, SonicWall publicly disclosed that intruders had gained access to its cloud backup service using brute-force techniques.
Initially, the company believed only a limited number of firewall customers were impacted. However, further investigation revealed that all backup files stored in the service had been accessed. Although credentials and secrets within these files were encrypted, and likely remain secure, SonicWall cautioned that any unencrypted data could assist attackers in exploiting the firewalls associated with the compromised configurations.
In response, SonicWall has issued detailed guidance to affected users. Recommendations include disabling or limiting WAN access for HTTP/HTTPS and SSH management, along with SSL VPN, IPSEC VPN, and SNMP services. The company also advised restricting inbound WAN access to internal services permitted via NAT or Access Rules. Additionally, customers are urged to reset all passwords, re-enroll Time-based One-Time Password (TOTP) for every user, replace cryptographic keys, reset API tokens, and generate fresh Identity and Access Management (IAM) keys before updating them in SonicWall’s system settings.
SonicWall has not shared information regarding when the brute-force attacks commenced or the duration it took for the suspicious activity to be detected.
(Source: HelpNet Security)
