- SonicWall Confirms State-Sponsored Actor Accessed Cloud Backups via API in Targeted Breach
- Initially downplayed, the breach ultimately affected all SonicWall customers worldwide.
- No products or firmware have been compromised; Mandiant helps with remediation and hardening
SonicWall blamed “state-sponsored threat actors” for the cloud backup security breach that hit its services in September 2025.
In an update posted to the company’s website, SonicWall said it had completed the investigation into the incident and confirmed that the malicious activity was “conducted by a state-sponsored threat actor” and was “isolated from unauthorized access to cloud backup files from a specific cloud environment using an API call.”
In mid-September 2025, SonicWall warned its firewall customers to reset their passwords after anonymous threat actors forced their way into the company’s MySonicWall cloud service. This tool allows SonicWall Firewall users (typically businesses and IT teams) to back up their firewall configuration files, including network rules and access policies, VPN configurations, service credentials (LDAP, RADIUS, SNMP), or administrator usernames and passwords (if stored in the configuration).
Act like hacktivists
SonicWall initially said less than 5% of its customer base was affected, but later confirmed the breach affected all of its customers (which could reach 500,000 worldwide).
The company confirmed that its products and firmware were not compromised and that no other systems or tools, source code or customer networks were disrupted or altered.
“SonicWall has taken all corrective actions recommended by Mandiant and will continue to work with Mandiant and other third parties for the continued strengthening of our network and cloud infrastructure,” it said.
In theory, attackers could brute force or decrypt stolen secrets from the backup, extract credentials used in firewall-related services, understand network topology and rules – more easily bypassing defenses, and launch targeted attacks using inside knowledge about how firewalls are configured.
SonicWall has not named the attackers and so far no one has claimed responsibility for the attack. It was just pointed out that these incidents have no connection with the recent Akira attacks which also targeted backups.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
