SonicWall fingers state-backed cyber crew for September firewall breach
Summary
SonicWall says a state-sponsored group accessed firewall configuration backups stored in its MySonicWall cloud backup service in September. The vendor initially estimated fewer than 5% of devices were affected but later confirmed every customer using the cloud backup feature had files accessed.
SonicWall engaged Mandiant to investigate and concluded the intrusion was limited to the cloud-based backup service, reached via an API call. The company says its products, firmware, source code and customer networks were not impacted, and the incident is unrelated to the Akira ransomware campaigns.
CEO Bob VanKirk described the attackers as nation-state–backed and said SonicWall has applied all Mandiant-recommended remediations while continuing its “Secure by Design” improvements to cloud and product security.
Key Points
- State-sponsored threat actors accessed MySonicWall cloud-stored firewall configuration backups in September.
- Intruders used an API call to download backup files from a specific cloud environment.
- SonicWall first downplayed scope but later confirmed all customers using the backup feature were affected.
- Mandiant led the investigation; SonicWall says products, firmware, source code and customer networks were not compromised.
- The incident is distinct from Akira ransomware activity that targets edge devices and firewalls.
- SonicWall has implemented Mandiant’s remediation steps and is pursuing a “Secure by Design” modernisation drive.
- No nation or known threat group has been publicly attributed by SonicWall so far.
Context and relevance
This story matters because it highlights a growing tactic: nation-state actors targeting the defensive supply chain and supporting cloud services rather than just attacking end customers. Backups and management APIs are high-value targets — compromise here gives visibility into many deployed devices without touching device firmware.
For organisations and MSPs that rely on vendor cloud backup services, the incident underlines the need to audit API access controls, rotate credentials, enforce least privilege and monitor backup environments. It also reinforces broader trends in geopolitically motivated cyber operations hitting security infrastructure and service providers.
Why should I read this?
Because if you run SonicWall kit, manage firewall backups, or look after SMBs that do, this is literally your problem — spies nicked backups, not just script kiddies. Read it to know the scope (backups only, apparently), what SonicWall and Mandiant say they fixed, and which immediate actions you should take: check your MySonicWall backup status, rotate API keys/credentials, verify recovery integrity and ask your vendor for logs and mitigations.
Author style
Punchy — the report cuts to the chase and stresses why this matters. Given the nation-state angle, it’s worth reading in full if you handle network security or vendor risk.