SonicWall blames state hackers for damaging data breach

News
By published

However it didn't say which nations might be behind attack

Cyber security Cloud computing blue abstract digital binary code background. Innovative technology and Artificial intelligence concept. New futuristic system technology symbol. Vector illustration.
(Image credit: Shutterstock / MiniStocker)
  • SonicWall confirms state-sponsored actor accessed cloud backups via API in a targeted breach
  • Initially downplayed, the breach ultimately affected all SonicWall customers globally
  • No product or firmware compromise occurred; Mandiant is assisting with remediation and hardening

SonicWall has blamed “state-sponsored threat actors” for the cloud backup security breach which hit its services in September 2025.

In an update posted on the company’s website, SonicWall said it completed the investigation into the incident, and confirmed that the malicious activity was “carried out by a state-sponsored threat actor” and was “isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call.”

In mid-September 2025, SonicWall warned its firewall customers to reset their passwords after unnamed threat actors brute-forced their way into the company’s MySonicWall cloud service. This tool allows SonicWall firewall users (typically businesses and IT teams) to back up their firewall configuration files, including network rules and access policies, VPN configurations, service credentials (LDAP, RADIUS, SNMP), or admin usernames and passwords (if stored in config).

Acting like hacktivists

At first, SonicWall said that fewer than 5% of its customer base was affected, but later confirmed the breach had impacted all of its customers (which could be as many as 500,000 around the world).

The company confirmed its products and firmware were not compromised, and that no other systems or tools, source code, or customer networks were disrupted or otherwise tampered with.

“SonicWall has taken all current remediation actions recommended by Mandiant and will continue working with Mandiant and other third parties for ongoing hardening of our network and cloud infrastructure,” it said.

In theory, the attackers could brute-force or decrypt the secrets stolen from the backup, extract credentials used in services tied to the firewall, understand network topology and rules - bypassing defenses more easily, and launch targeted attacks using insider knowledge on how the firewalls are configured.

SonicWall did not name the attackers, and so far no one has claimed responsibility for the attack. It was just stressed that these incidents are unrelated to the recent Akira attacks that also targeted backups.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.