SonicWall, a prominent cybersecurity firm specializing in firewalls and edge security, has concluded its investigation into a significant data incident involving unauthorized access to cloud-stored backup files.
The breach, detected in early September 2025, affected configuration files for firewalls but did not compromise products, firmware, or customer networks.
In a detailed blog post, the company attributed the attack to state-sponsored threat actors, emphasizing its swift response and ongoing enhancements to cyber resilience.
Detection and Rapid Response
The incident came to light when SonicWall’s security team spotted unusual activity in a specific cloud environment, where backup firewall configuration files were being downloaded via an API call.
Without delay, the company activated its incident response protocols and brought in Mandiant, a renowned cybersecurity firm, to lead the probe.
SonicWall promptly informed global partners and customers, providing transparent updates and hosting live Q&A sessions to address concerns.
To support remediation, SonicWall developed specialized tools and offered financial concessions to ease the burden on partners.
These partners, in turn, acted decisively, implementing recommended fixes to safeguard their own customers.
This collaborative effort underscored SonicWall’s channel-focused model, particularly for small and medium-sized businesses (SMBs) that rely on its distributed security solutions.
Key Findings From The Investigation
Mandiant’s completed analysis confirmed the breach was isolated to the cloud backups and unrelated to the widespread Akira ransomware campaign targeting firewalls and edge devices.
No other SonicWall systems, source code, or tools were impacted, and the malicious activity stemmed from a targeted API exploitation by nation-state actors.
These groups increasingly focus on edge providers serving SMBs, exploiting the decentralized nature of such environments.
SonicWall has fully executed Mandiant’s remediation recommendations and continues partnering with third-party experts to fortify its network and cloud infrastructure.
The company stressed that the incident highlighted broader threats from advanced persistent threats (APTs), but its firewalls proved resilient, as evidenced by independent testing.
Strengthening Defenses and Partner Trust
Building on this experience, SonicWall is accelerating its “Secure by Design” initiative, launched earlier in 2025.
This includes appointing a new Chief Information Officer to overhaul infrastructure, development pipelines, and service delivery.
Investments in its Computer Security Incident Response Team (CSIRT) and Product Security Incident Response Team (PSIRT), along with enhanced vendor tools, aim to preempt future risks.
Recent validation from NetSecOPEN’s third-party tests reinforces SonicWall’s efficacy: it achieved a perfect 100% block rate across public CVEs, private CVEs, malware, and evasion techniques for the second year running.
As state-backed threats escalate, SonicWall reaffirms its commitment to transparency, innovation, and deep collaboration with partners.
Emerging stronger, the firm positions itself as a trusted guardian for SMBs on cybersecurity’s front lines.
