SonicWall has blamed an unnamed, state-sponsored collective for the September break-in that saw cybercriminals rifle through a cache of firewall configuration backups.
The network security vendor said it spotted “suspicious activity” in early September involving the unauthorized downloading of backup firewall configuration files from “a specific cloud environment.” The company initially said that “fewer than 5 percent” of its firewall installed base had files accessed, but later admitted that “all customers” who utilized the MySonicWall cloud backup feature were affected
SonicWall said its incident response team quickly called in Google-owned Mandiant, the go-to fixer for when things get ugly. SonicWall has now wrapped up the probe, confirming that the intruders were state-sponsored operators who gained access via an API call to the cloud backup system.
In an update published this week, SonicWall said the investigation confirmed the intrusion was limited to a cloud-based backup service and did not affect SonicWall’s products, firmware, source code, or any customer networks.
The activity was confined to an API call used to access those backup files, and had nothing to do with the Akira ransomware campaigns that have been hammering firewalls and edge devices elsewhere on the internet.
In a video statement, SonicWall CEO Bob VanKirk said: “We now know this incident was carried out by state-sponsored threat actors. The malicious activity has been contained and was isolated to our firewall cloud-backup services. There was no impact to customer data or any other SonicWall system.”
SonicWall has not said which nation was behind the incident or provided indicators linking it to any known threat group.
It has taken all remediation actions recommended by Mandiant and would continue to work with the firm and other third parties to harden network and cloud infrastructure. SonicWall stressed that this was not a case of its firewall software itself being compromised but rather a supporting cloud service used to store backups – a subtle distinction, but one that matters when your brand trades on keeping attackers out.
SonicWall has spent the past few months on what it calls a “Secure by Design” modernization push, aimed at tightening product architecture, cloud operations, and internal security practices. VanKirk said the company would use lessons from the incident and community feedback to “continue to improve how we interact with our partners when security issues arise.”
“As nation-state–backed threat actors increasingly target edge-security providers, especially those serving SMB and distributed environments, SonicWall is committed to strengthening its position as a leader for partners and their SMB customers on the front lines of this escalation,” the company said.
That confidence may be well-placed, though the breach adds SonicWall to a growing list of security vendors that have learned the hard way that even defensive infrastructure can become a target of geopolitical cyber operations.
SonicWall insists it has emerged “stronger, more resilient, and even more trusted” from the experience. Customers, one assumes, will hope that’s true – and this is the last time their firewall backups become a foreign-policy problem. ®