Full Report
SonicWall's investigation into the September security breach that exposed customers' firewall configuration backup files concludes that state-sponsored hackers were behind the attack. [...]
Analysis Summary
# Threat Actor: State-Sponsored Threat Actor (Unspecified)
## Attribution & Identity
The threat actor responsible for the September security breach at SonicWall is attributed as **state-sponsored hackers** based on Mandiant's investigation findings. The specific name or known group affiliation for this actor is **not provided** in the summary.
## Activity Summary
The actor was linked to a security breach in **September** targeting SonicWall's cloud environment:
* Unauthorized access was gained to **cloud backup files** from a specific cloud environment using an **API call**.
* The breach exposed **firewall configuration backup files** stored in certain **MySonicWall accounts**.
* These exposed files contained sensitive information, such as **access credentials and tokens**, which could facilitate subsequent exploitation of customer firewalls.
* SonicWall confirmed the incident did **not** impact its products, firmware, source code, or customer networks directly, only the cloud backup storage.
* This nation-state activity was explicitly stated to have **no connection** to distinct attacks carried out by the Akira ransomware group in late September.
## Tactics, Techniques & Procedures
- **Initial Access/Data Exfiltration:** Gained access to cloud backup files via an **API call**.
- Data Stored: **Firewall configuration backup files** containing sensitive authentication data (credentials, tokens).
- *MITRE ATT&CK IDs are not specified in the source text.*
## Targeting
- **Sectors:** Customers utilizing SonicWall’s cloud backup service for firewall configuration files (implied to be organizations using SonicWall firewalls).
- **Geography:** The primary victim organization mentioned is **SonicWall** (An American company).
- **Victims:** **All customers** who used the company’s cloud backup service to store firewall configuration files were affected by the data exposure.
## Tools & Infrastructure
- **Malware families used:** None specified.
- **Infrastructure (C2, domains, IPs):** Access was achieved using an **API call** to the compromised cloud environment. No specific C2 or malicious infrastructure details were provided.
## Implications
The primary implication is the **risk amplification** for SonicWall customers. Exposure of firewall configuration files containing credentials, Local/LDAP/RADIUS/TACACS+ passwords, and VPN secrets significantly lowers the bar for threat actors (potentially the same state-sponsored group or secondary actors exploiting the stolen data) to compromise customer networks via their firewalls.
## Mitigations
- **Credential Reset:** Customers were immediately advised to reset multiple credential types:
* MySonicWall account credentials.
* Temporary access codes.
* Passwords for LDAP, RADIUS, or TACACS+ servers.
* Passwords for L2TP/PPPoE/PPTP WAN interfaces.
* Shared secrets in IPSec site-to-site and GroupVPN policies.