Network security company SonicWall has concluded its investigation into the September cybersecurity incident that exposed customers’ firewall configuration backup files, confirming that a state-sponsored threat actor was responsible for the breach.
According to the vendor, Mandiant’s investigation determined that the malicious activity was limited to unauthorized access of cloud backup files from a specific cloud environment via an API call. Mandiant found no evidence that SonicWall’s products, firmware, systems, tools, source code, or customer networks were affected.
“The Mandiant investigation is now complete. Their findings confirm that the malicious activity – carried out by a state-sponsored threat actor - was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call. The incident is unrelated to ongoing global Akira ransomware attacks on firewalls and other edge devices,” the company said in a statement.
“The incident did not impact SonicWall products or firmware. No other SonicWall systems or tools, source code, or customer networks were disrupted or compromised,” the vendor added.
The breach was first disclosed on September 17, when SonicWall warned that an attacker had accessed firewall configuration backup files stored in certain MySonicWall accounts. The files could contain sensitive information, including access credentials and tokens, potentially allowing attackers to more easily exploit customer firewalls.
SonicWall advised affected customers to reset their MySonicWall account credentials and update passwords for related systems and services, including LDAP, RADIUS, and VPN configurations.
In an October 9 update, the company confirmed that all customers using its cloud backup service to store firewall configuration files were affected. SonicWall said that the incident was contained and did not compromise its broader environment or product integrity.
The company also clarified that this state-sponsored activity was unrelated to recent attacks by the Akira ransomware gang, which had targeted SonicWall VPN accounts protected by multi-factor authentication (MFA) in late September.
In October, cybersecurity firm Huntress reported it detected a widespread campaign targeting SonicWall SSLVPN accounts, with over 100 compromised across 16 different environments. The campaign, first observed on October 4, involved attackers using stolen, valid credentials to gain access, bypassing traditional brute-force methods.
It’s currently unclear, whether the September SonicWall breach and the attacks observed by Huntress are connected.
