Nation-State

State-Sponsored Hackers Stole SonicWall Cloud Backups in Recent Attack

The threat actor stole the firewall configuration files of all SonicWall customers who used the cloud backup service.

SonicWall vulnerability

SonicWall this week revealed that a state-sponsored threat actor was behind the September hack in which firewall configuration files were stolen from its cloud backup service.

The company disclosed the incident in mid-September, saying that the attackers had exfiltrated the backup files of less than 5% of its customers.

In an October 8 update, SonicWall revised that number, saying that all firewall preference files stored using its cloud backup service were stolen.

The files, SonicWall warned, contain encrypted credentials and configuration data. Attackers could use them to launch targeted attacks, it said.

The company urged all customers to check if any firewall backups were listed in their MySonicWall.com accounts, to determine if their devices were at risk, and to reset all passwords, as described in the accompanying containment and mitigation documentation.

SonicWall engaged Mandiant to investigate the attack, and notified all impacted partners and customers about the incident. The investigation, it announced this week, has been completed.

Advertisement. Scroll to continue reading.

“The malicious activity – carried out by a state-sponsored threat actor – was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” SonicWall said.

The company also underlined that the attack is unrelated to the recent wave of Akira ransomware intrusions targeting SonicWall firewalls and other edge devices.

“The incident did not impact SonicWall products or firmware. No other SonicWall systems or tools, source code, or customer networks were disrupted or compromised,” the company said.

“SonicWall has taken all current remediation actions recommended by Mandiant and will continue working with Mandiant and other third parties for ongoing hardening of our network and cloud infrastructure,” it added.

SonicWall customers are advised to take immediate action to secure their devices. In mid-October, Huntress warned of a widespread campaign targeting SonicWall SSL VPN accounts, in which valid credentials were likely used for compromise across multiple businesses.

The attacks, the cybersecurity firm said, did not appear linked to the cloud backup incident. However, the sensitive information stored in the stolen files poses a high risk for the impacted organizations.

Related: Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover

Related: Transportation Companies Hacked to Steal Cargo

Related: SonicWall Updates SMA 100 Appliances to Remove Overstep Malware

Related: On Demand: Threat Detection & Incident Response (TDIR) Summit

Related Content

Nation-State

The attack was claimed by a hacktivist group, but evidence showed it used infrastructure linked to Iranian government threat actors.

Nation-State

The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was. 

Vulnerabilities

CVE-2026-0300 affects the Captive Portal service of PAN-OS software on PA and VM series firewalls.

Vulnerabilities

The bugs could be exploited to bypass security controls, access restricted services, and crash firewalls.

Vulnerabilities

The bugs could allow attackers to modify protected resources and escalate their privileges to administrator.

Ransomware

Amazon found evidence that the FMC software vulnerability has been exploited since late January, and found links to Russia.

Cyberwarfare

The cybersecurity industry is monitoring the landscape and says many of the big claims made by hacktivist groups remain unverified.

Network Security

Threat actors relying on AI have been exploiting exposed ports and weak credentials to take over FortiGate devices.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version