SonicWall Investigates State-Linked Intrusion Exposing Cloud Backup Data

In September 2025, cybersecurity company SonicWall discovered a serious breach involving its cloud backup service, MySonicWall. The company found that hackers had gained unauthorized access to backup files containing customers’ firewall configurations and settings. These files were stored in SonicWall’s cloud servers and were meant to help users easily restore their network setups if needed.

After a detailed investigation, SonicWall confirmed that the attack was carried out by state-sponsored hackers. This means the operation was supported by a government or nation-state rather than ordinary cybercriminals. The company hired the well-known cybersecurity firm Mandiant to investigate the breach. According to their report, the hackers used an API call to access a specific part of SonicWall’s cloud infrastructure.

Initially, SonicWall told its customers that less than 5% of them were affected by the incident. However, as the investigation progressed, it was found that the scope was larger than originally believed. The company later informed users that anyone who used the cloud backup feature could have had their configuration files accessed during the attack.

The compromised files contained sensitive data such as firewall rules, VPN settings, network credentials, and other configuration details. While SonicWall mentioned that these backups were encoded or partially encrypted, experts say that the information inside could still help attackers understand how a network is built. This makes it easier for them to plan more targeted and damaging cyberattacks in the future.

SonicWall made it clear that the breach did not affect its main products, firmware, or live networks. Only the cloud backup environment was accessed, meaning the attackers could not directly interfere with the devices running on customer networks. Despite this, the incident is considered serious because configuration data is often the blueprint of how an organization’s network operates.

As soon as the breach was discovered, SonicWall blocked the attackers’ access and worked closely with Mandiant and law enforcement agencies to contain the situation. The company also introduced additional security measures to prevent similar breaches in the future. Customers were notified about the incident and given step-by-step guidance on how to protect their systems.

SonicWall has advised all users of its cloud backup service to reset their passwords, rotate any API keys or authentication tokens, and delete old cloud backups that may have been accessed. They also suggested creating new backups locally and monitoring their networks for any unusual or unauthorized activities. Priority should be given to devices that connect directly to the internet or handle sensitive data.

This incident serves as another reminder of how even trusted and secure cloud services can be vulnerable to state-sponsored cyberattacks. Hackers backed by governments often have advanced tools and the patience to study systems in depth before launching their attacks. While SonicWall acted quickly and no live systems were compromised, the exposure of configuration files still poses long-term risks to affected organizations.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news