Network security giant SonicWall has officially confirmed that a sophisticated state-sponsored threat actor was responsible for a September security incident. The breach resulted in the unauthorized access of firewall configuration backup files from a specific cloud environment, though the company has assured customers that its core products and firmware remain unaffected.
Isolated Breach in a Specific Cloud Environment
According to a detailed statement released by the company, the malicious activity was highly targeted. The threat actors used an API call to access cloud backup files, but the compromise was contained to that single environment.
SonicWall was quick to clarify that this event is entirely separate from the ongoing global attacks involving Akira ransomware targeting firewalls and other edge devices. This distinction highlights the targeted, espionage-focused nature of the state-sponsored breach compared to the financially motivated ransomware campaigns.
Investigation and Customer Impact
The public disclosure comes nearly a month after SonicWall first notified customers about an unauthorized party accessing configuration backup files. While initial reports suggested the breach impacted “all customers” who used the cloud backup service, the company later refined this figure, stating that data was actually accessed for fewer than 5% of its customer base.
To lead the forensic investigation, SonicWall engaged Mandiant, the renowned cybersecurity firm owned by Google. The investigation concluded that the company’s products, firmware, and other core systems were not compromised. SonicWall has since implemented all remedial actions recommended by Mandiant to fortify its network and cloud infrastructure.
The Growing Threat to Security Providers
In its statement, SonicWall addressed the broader threat landscape, noting that nation-state actors are increasingly setting their sights on edge security providers. This trend is particularly concerning for those companies serving small and medium-sized businesses (SMBs) and distributed enterprise environments.
The company reaffirmed its commitment to security, stating, “SonicWall is committed to strengthening its position as a leader for partners and their SMB customers on the front lines of this escalation.”
Recommended Steps for Customers
For customers concerned about their security posture, SonicWall has issued specific guidance. Users are strongly advised to log into the MySonicWall.com portal to review their registered devices and reset credentials for any potentially impacted services.
To further assist in the response, the company has released two dedicated tools:
- An Online Analysis Tool to help identify services that require remediation.
- A Credentials Reset Tool to efficiently perform security-related credential updates.
