Rob Wright, Senior News Director, Dark Reading

November 6, 2025

4 Min Read

Source: imageBROKER.com via Alamy Stock Photo

The recent breach of a SonicWall cloud backup service in which attackers stole firewall configuration files was the work of a unnamed nation-state threat actor.

In September, SonicWall disclosed that a threat actor had breached a cloud environment for the MySonicWall backup service devoted to the company’s firewalls. At the time, the network security vendor said the breach stemmed from “a series of brute force attacks” and the threat actor accessed firewall configuration data for fewer than 5% of SonicWall customers.

However, last month SonicWall acknowledged that the breach was worse than the company initially thought. An incident response investigation conducted with Google Cloud’s Mandiant revealed that the attackers had in fact “accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service.”

In a blog post this week, SonicWall closed the book on the investigation, though some questions about the attack remain.

“The Mandiant investigation is now complete,” the company said in a blog post. “Their findings confirm that the malicious activity — carried out by a state-sponsored threat actor — was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call.”

Related:Nikkei Suffers Breach Via Slack Compromise

SonicWall said the breach “is unrelated to ongoing global Akira ransomware attacks on firewalls and other edge devices.” The ransomware gang has been targeting SonicWall VPNs for several weeks.

However, it’s unclear who the nation-state actors are, and how they breached the cloud backup service.

Attackers Abused API Call — But How?

In a video that accompanied the blog post, SonicWall president and CEO Bob VanKirk said the intrusion was limited to the company’s firewall cloud backup service, where firewall configuration data is stored “in a specific cloud bucket.”

“There was no impact to any SonicWall product, firmware, source code, or production network, or to any customer data or other SonicWall system,” VanKirk said.

While SonicWall said the breach stemmed from an API call, the company did not specify which API the attackers abused and how they accomplished it. It’s unclear if the API lacked authentication, if a key was exposed, or if the state-sponsored threat actors compromised the API through a vulnerability or other means.

Dark Reading asked SonicWall several questions regarding the API but the company did not address them. However, a SonicWall spokesperson tells Dark Reading that the attack vector was “immediately mitigated” and confirmed by Mandiant.

Related:Iran’s Elusive “SmudgedSerpent’ APT Phishes Influential US Policy Wonks

The spokesperson also says that SonicWall and Mandiant found no evidence that the stolen backup firewall data has been used by threat actors.

The SonicWall breach is the latest example of attackers leveraging APIs for malicious activity. Experts have warned about the growing number of exposed secrets like API keys, which threat actors can obtain from code repositories, development tools, and other resources. Additionally, attackers can access APIs as paying customers and abuse them in ways that companies may not have anticipated. For example, a threat actor used an OpenAI Assistants API for command-and-control (C2) communications for a backdoor that researchers dubbed “SesameOp.”

Breach Marks Latest Trouble for SonicWall

Like other edge device manufacturers, SonicWall has emerged as a popular target for a variety of threat actors in recent years, from nation-state actors to cybercrime gangs.

“SonicWall has taken all current remediation actions recommended by Mandiant and will continue working with Mandiant and other third parties for ongoing hardening of our network and cloud infrastructure,” the company said in the blog post.

The company added that it launched two security initiatives earlier this year to strengthen its defenses. The first is a broad Secure by Design effort for the company’s product line and cloud operations. Second, SonicWall “doubled down on our commitment to a zero-trust architecture framework” to improve internal security practices and infrastructure defenses, VanKirk said.

Related:What Makes Ransomware Groups Successful?

SonicWall also took the opportunity to tout its results in a recent firewall efficacy test conducted by NetSecOpen. The company proclaimed that it was “the only firewall vendor to achieve a 100% block rate across every test category — public CVEs, private CVEs, malware, and evasion techniques — for the second consecutive year.”

Despite these results, the pattern of attacks and exploited vulnerabilities against the company’s customers in recent years has sparked concern in the cybersecurity industry. For example, some cyber insurance carriers began charging higher premiums for customers with certain products in their technology stacks that they deem higher risk, such as SonicWall edge devices.

About the Author

Senior News Director, Dark Reading

Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget’s SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom’s Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.