A sophisticated cyberattack that breached SonicWall’s systems in September 2023 and resulted in unauthorized access to sensitive firewall configuration backup files has now been attributed to a suspected state-sponsored group. The company, which specializes in network security and firewall solutions, publicly disclosed the outcome of its internal investigation, concluding that an advanced persistent threat (APT) actor—likely backed by a nation-state—was behind the security incident.
Attack Targeted Configuration Backups for Firewalls
Sensitive Customer Information Not Accessed, Company Says
In September 2023, SonicWall initiated an incident response process after detecting anomalous activity associated with a subset of its SecureFirst Partner Portal systems. The threat actors exfiltrated a limited number of configuration backup files linked to firewalls deployed by SonicWall’s enterprise customers. These files contain network configuration data which, if exposed, could potentially aid attackers in developing tailored intrusion strategies or identifying exploitable vulnerabilities within specific network topologies.
Despite the breach, SonicWall emphasized that the backup files did not contain critical identifiable information such as credentials, customer names, or addresses. According to the firm, additional controls in place ensured that sensitive personally identifiable information (PII) remained secure.
Investigation Attributes Attack to Highly Skilled Threat Actors
Indicators of a Nation-State-Level Adversary
SonicWall stated that the group responsible demonstrated a high degree of sophistication consistent with that of a state-sponsored threat actor. The tactics, techniques, and procedures (TTPs) observed during the attack mirrored those typically seen in advanced persistent threat campaigns. These included stealthy lateral movement, controlled data exfiltration, and a tailored approach that suggested a strategic targeting of SonicWall’s firewall infrastructure.
While the company did not name a specific country, its conclusion echoes broader industry trends. Nation-state actors have increasingly targeted network hardware vendors and managed service providers (MSPs) to pivot into downstream victims’ environments. This approach allows attackers to exploit the trusted relationships and embedded access these vendors hold.
Mitigation Measures and Customer Notifications
Patched Vulnerabilities and Rotated Credentials Across Systems
Following the breach, SonicWall executed a remediation strategy that included:
- Revoking affected credentials and API tokens related to the SecureFirst Partner Portal
- Enhancing logging and threat detection policies across its infrastructure
- Performing end-to-end reviews of systems that stored or processed configuration backups
- Notifying impacted customers and providing guidance on further hardening configurations
SonicWall also recommended that firewall administrators review configuration rules and access policies. Additional emphasis was placed on rotating secrets, disabling unused accounts, and revalidating firewall integrity using updated tools and firmware.
Broader Implications for Supply Chain and Infrastructure Security
Firewall Vendors Increasingly in Crosshairs of Cyber Espionage
This incident underscores a growing trend in which firewall vendors and other infrastructure providers are increasingly seen as high-value targets by offensive cyber units. Given the centralized role firewalls play in enforcing perimeter security policies and restricting lateral movement, compromising such tools offers attackers unrivaled insight into even well-defended environments.
Organizations relying on third-party security solutions must reassess the security assurances provided by their vendors. A zero-trust security posture, where trust is never implicitly granted—even to security tooling itself—is quickly becoming an industry necessity. The SonicWall breach illustrates how even organizations that serve as defenders can become vectors in broader cyber-espionage campaigns.
Continued Focus on Detection and Transparency
Call for Greater Ecosystem Collaboration on Threat Intelligence
SonicWall’s post-breach transparency has been welcomed by parts of the cybersecurity community, with many security professionals pointing out the importance of public attribution and remediation guidance when dealing with suspected state-sponsored campaigns. Enabling early detection and coordinated response across vendor ecosystems will be critical to limiting the lateral spread of cyber-espionage operations.
As firewalls and other edge security devices become richer in telemetry and capabilities, they also attract threat actors seeking stealthy persistence. The state-sponsored firewall breach against SonicWall serves as a reminder that even foundational cybersecurity infrastructure can become a liability if compromised.
