SonicWall has confirmed that a state-sponsored hacking group was responsible for the SonicWall hack discovered in September, which led to the theft of firewall configuration files stored in its cloud backup environment. The cybersecurity firm says the stolen files contain encrypted credentials and sensitive configuration data that could be used in future targeted attacks.
Back in mid-September, SonicWall disclosed that attackers had accessed less than 5% of customer backup files. However, in an updated statement released on October 8, the company revised that figure, revealing that all firewall preference files stored in its cloud backup system were compromised. This revelation marks one of the most serious security breaches in SonicWall’s history, underscoring how even seasoned cybersecurity vendors can fall victim to state-backed cyber espionage campaigns.
According to SonicWall, the stolen backup files included firewall configuration settings and encrypted credentials, which could be exploited to infiltrate customer networks if not properly reset. The company urged all users to immediately review their MySonicWall.com accounts to check if any of their firewall backups were listed and to follow password reset and containment procedures outlined in its mitigation guide.
Security experts note that while encrypted credentials are not immediately usable, the breach still presents significant risk. Attackers with state-level capabilities often possess the computing resources and time to attempt decryption or to pair stolen data with previously leaked credentials.
To respond to the incident, SonicWall enlisted cybersecurity firm Mandiant, now part of Google Cloud, to conduct a full forensic investigation. Mandiant has since completed its review, confirming that the malicious activity was carried out by a state-sponsored threat actor who used an API call to access the cloud backup environment.
SonicWall said the activity was isolated to unauthorized access of backup files from a specific cloud environment using an API call, adding that no other SonicWall systems, tools, firmware, or customer networks were compromised.
The company clarified that the incident is unrelated to the recent wave of Akira ransomware attacks targeting SonicWall firewalls and other network devices. Those ransomware intrusions have been spreading across enterprises and public institutions globally, exploiting exposed VPN services. SonicWall reiterated that the incident did not impact its products or firmware, nor were any of its systems, source code, or customer networks disrupted or compromised.
The firm added that it has implemented all remediation measures recommended by Mandiant and is continuing to harden its network and cloud infrastructure with assistance from third-party security specialists.
In the wake of the SonicWall hack, the company has advised customers to take immediate steps to secure their environments. This includes reviewing all device backups, resetting passwords, rotating keys, and updating configurations to prevent further compromise.
The advisory comes amid a related, but separate, warning from cybersecurity firm Huntress in mid-October. Huntress reported a widespread campaign targeting SonicWall SSL VPN accounts, where attackers were using valid credentials to breach corporate networks across multiple industries.
Although Huntress stated that these VPN attacks are not connected to the cloud backup breach, experts believe that the stolen configuration files could provide valuable intelligence for future exploits. The sensitive data stored in the stolen files poses a high risk for the impacted organizations, Huntress noted, urging businesses to proactively patch and monitor all SonicWall-related systems.
The SonicWall hack has sparked broader discussions about the growing risks associated with cloud-based backup systems, particularly those used by security vendors. As companies increasingly migrate to cloud infrastructure, attackers, especially state-sponsored groups, are shifting their focus to exploit API vulnerabilities, misconfigurations, and backup data that often hold sensitive operational details.
Industry analysts say the breach reflects a troubling trend: nation-state hackers are increasingly targeting security providers themselves to gain insight into defense mechanisms and network topologies used by enterprise clients. “This incident underscores that even cybersecurity companies are not immune,” one analyst said. “State-sponsored attackers are patient, well-funded, and capable of exploiting the smallest weaknesses in supply chains or cloud configurations.”
SonicWall’s collaboration with Mandiant and its swift disclosure have been praised as examples of transparent crisis management, though experts stress that the full impact on affected customers may take time to surface.
SonicWall says it remains committed to protecting its customers and has promised ongoing updates as new intelligence emerges. The company’s swift response, engagement with Mandiant, and rollout of additional network hardening measures signal its intent to rebuild trust after a major breach in its cloud ecosystem. However, the attack serves as a stark reminder of the persistent threat posed by nation-state hackers, who continue to refine their tactics and target infrastructure critical to global cybersecurity operations.
Organizations using SonicWall products are encouraged to stay vigilant, apply all recommended fixes, and monitor for any unusual network activity linked to their devices. As cloud adoption accelerates, this breach will likely be remembered as a key moment highlighting why security vendors must treat their own cloud environments with the same rigor they demand from customers.
