State-Sponsored Attackers Stealing Cloud Backups of SonicWall Customers

• November 11, 2025
• By Secnora

In mid-September 2025, SonicWall discovered unauthorized access to MySonicWall cloud backups containing firewall configuration files. The company later concluded a state-sponsored threat actor was responsible. Backup files for customers who used the cloud backup service were exfiltrated. The files may contain sensitive credentials, tokens, VPN settings and network rules, raising high follow on risk. SonicWall engaged Mandiant and published remediation guidance.

Executive summary
Incident: Unauthorized access to SonicWall’s MySonicWall cloud backup environment. 
Attribution and scope: SonicWall later attributed the intrusion to a state-sponsored actor and updated scope to include customers who used cloud backups.
What was taken: Firewall configuration backup files. Those files can include admin passwords, VPN keys, RADIUS/LDAP credentials, service tokens and policy definitions. Even encrypted, the data can enable targeted attacks. 
Immediate actions: SonicWall removed attacker access, engaged Mandiant, notified customers and issued remediation steps (rotate credentials, delete cloud backups, recreate backups locally). 

Timeline
Mid-September 2025: SonicWall detected suspicious downloads from MySonicWall cloud backups. Initial advisory released. 
September-October 2025: Investigation with third-party IR. Early public messaging estimated <5% customer impact. 
October-November 2025: SonicWall revised scope and concluded that backups for customers who used cloud backups were accessed. The company attributed the activity to a state-sponsored actor. Remediation guidance published. 

What likely happened
Key facts confirmed by SonicWall and incident responders:

• The attackers accessed a cloud environment used for MySonicWall backups. Access occurred via API calls against that environment. 
• SonicWall reported the incident involved credential abuse and brute-force style activity in targeting the service rather than a firmware zero-day in customer devices. That aligns with initial evidence and follow-on reporting. 
• The backup files contained firewall preference/config files. Those files can store service credentials, VPN pre-shared keys, admin accounts, network topology and ACLs. With that data an attacker can plan targeted intrusions or pivot to internal resources. 

Attack Chain 

• Recon of MySonicWall endpoints and API surfaces.
• Credential stuffing or brute forcing of accounts or API keys for the cloud backup service.
• Use of valid API calls to enumerate and download customer backup files.
• Local exfiltration of archives.
• Post-exfiltration analysis to extract plaintext credentials, tokens and secrets (if encryption keys or weak key management present).

This chain fits public statements noting API-based access and brute-force behavior. 

What attackers can do with stolen backups

• Credential harvesting: Extract admin passwords, SNMP/RADIUS/LDAP secrets. Use them against VPNs, management interfaces or SSO integrations. 
• Network mapping: Firewall rules reveal network segmentation, internal services and trust relationships. That reduces reconnaissance time for targeted attacks. 
• VPN compromise: VPN config and keys permit lateral entry if keys or PSKs are reusable or not rotated.
• Supply-chain and follow on ops: Nation-state actors can plan long term surveillance, data collection or disruption campaigns tailored to affected organizations. 

Detection and indicators of compromise (IoCs)
SonicWall has not publicly released a full IoC set for attacker infrastructure. Detectable signs to hunt for inside logs and telemetry include:

• Unusual MySonicWall API activity from unexpected IPs or unknown cloud regions.
• Large volumes of backup download events for customer accounts in a short window.
• Brute-force authentication failures followed by successful logins from the same source.
• Creation or use of API tokens outside normal operating patterns.
• Outbound connections from corporate management stations to unknown hosts coinciding with backups being downloaded.

Operationally monitor:

• Cloud audit logs for admin/API actions.
• Firewall management access logs.
• VPN and LDAP authentication logs for unusual endpoints or times.

Takeaway
The SonicWall cloud backup breach shows how even trusted vendor-managed systems can become high value entry points for state-sponsored attackers. By stealing firewall configuration backups, the attackers gained visibility into network structures, credentials and VPN secrets effectively turning defensive data into an offensive asset. The key takeaway is that organizations must treat vendor cloud backups as sensitive as production systems: keep encryption keys under your control, rotate all credentials stored in backups and reduce reliance on third-party storage for security critical configurations.

References:
https://www.sonicwall.com/support/notices/mysonicwall-cloud-backup-file-incident/kA1VN0000000RoD0AU
https://www.cisa.gov/news-events/alerts/2025/09/22/sonicwall-releases-advisory-customers-after-security-incident