politico.eu
January 28, 2026 4:16 pm CET
By Sam Clark
Europe is investing heavily in security but not enough in cyber, bloc’s cyber agency chief says.
BRUSSELS — The European Union urgently needs to rethink its cyber defenses as it faces an unprecedented volume and pace of attacks, the head of the bloc's cyber agency told POLITICO.
“We are losing this game,” said Juhan Lepassaar, the executive director of the EU's Agency for Cybersecurity (ENISA). “We are not catching up, we're losing this game, and we're losing massively.”
Europe has been pummeled with damaging cyberattacks in recent years, which have shut down major airports, disrupted elections and crippled hospitals. Just in the past week, cyber experts pinned an attempted attack on Poland’s power grid on Russia, and the president of Germany's Bundesbank said in an interview that the central bank faced over 5,000 cyberattacks every minute.
The cyber threats come as Europe deals with war on its eastern border, China's growing power over the global technology market and an increasingly unfriendly United States. In the past year, European countries have pledged to boost defense spending and the EU has shaped many of its policies around security and self-reliance.
Investing in security services but not in cybersecurity creates a “loophole,” Lepassaar warned.
The agency chief's warnings come one week after the European Commission presented a proposal to overhaul its Cybersecurity Act legislation. The bill would allow the EU's cyber agency, based in Athens, to expand its personnel by 118 full-time staff and to spend more on operational costs. The agency now has approximately 150 staff.
But Lepassaar lamented that wasn't nearly enough. He drew a comparison to EU police agency Europol and EU border agency Frontex, which have more than 1,400 and more than 2,500 staff respectively, with more resources on the way.
“We just don't need an upgrade. We need a rethink," he said. “Doubling the capacity is the absolute minimum."
The European Union has fallen short in cyber investment for years and it needs to build an entire new EU-level cyber infrastructure, the agency chief said.
Europe needs to 'step up'
When Lepassaar took charge of the agency in 2019, Europe was in a “totally different environment," he said.
In 2019, approximately 17,000 software flaws were added to a global database logging such vulnerabilities; in 2025, more than 41,000 were added, he said. And in 2019, it took hackers approximately two months on average to use those flaws in an attack, but now it took only one day on average, he said, citing industry and government data.
The cybersecurity industry has warned it now takes hackers far less time to exploit glitches, in part because of AI.
Just as Europe has pledged to take greater responsibility for its physical security, it must do the same in cyberspace, said Lepassaar — an Estonian who previously headed the office of European Commissioner for Digital Affairs Andrus Ansip.
In areas such as cataloging and managing cyber vulnerabilities — an obscure but critical area of cybersecurity — the only organizations systematically working on the problem have long been U.S.-based, Lepassaar said. “We all reap the benefits for free … it's needed that we now step up and take our fair share of this.”
MITRE, a U.S.-based nonprofit group, manages a global database of cyber flaws on which the entire industry relies. It nearly lost funding last year before being bailed out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
European startups and small businesses benefit from a system whose security is “backed up only by MITRE and CISA,” Lepassaar said.
ENISA has started operating a database of cyber flaws — though this was planned before MITRE nearly lost its funding — and recently took on a key technical role that further embeds it at the core of global cybersecurity infrastructure.
“It's part of our obligation as Europe to take our fair share from this,” Lepassaar said.
cnn.com
By
Sean Lyngaas
PUBLISHED Jan 28, 2026, 6:00 AM ET
Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.
Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.
From their perch at Cyber Command at Fort Meade, Maryland, the military hackers took aim at the computer servers and key personnel of at least two Russian companies that were covertly pumping out the propaganda, according to multiple sources briefed on the operation.
The trolls were trying to influence election results in six swing states by publishing fictitious news stories that attacked American politicians who supported Ukraine. One of the companies had held “strategy meetings” with Kremlin officials on how to covertly influence US voters, according to an FBI affidavit.
In one case, the Cyber Command operatives planned to knock offline computer servers based in a European country that one of the Russian companies used, the sources said. Though the Russian trolls continued to create content through Election Day, when President Donald Trump defeated then-Vice President Kamala Harris, one source briefed on the hacking effort said it successfully slowed down the Russians’ operations.
The hacking campaign, which hasn’t been previously reported, was one of multiple US cyber operations against Russian and Iranian groups aimed at blunting foreign influence on the 2024 election. It was part of a broader US government effort involving the FBI, the Department of Homeland Security, and other intelligence and security agencies that exposed and disrupted foreign meddling.
But a year into a second Trump administration, many of the government centers previously tasked with repelling foreign influence operations have been disbanded or downsized — and local election officials are preparing to face a continued onslaught of foreign influence operations largely on their own.
The administration has shut down foreign-influence-focused centers at the Office of the Director of National Intelligence, the FBI and the State Department that helped warn the public that China, Russia and Iran’s spy services were targeting Americans with election-related disinformation. The Department of Homeland Security has also slashed its election security teams, which pass intelligence to local election offices and help them defend against cyber threats.
The Trump administration has accused those federal programs of censoring Americans and conducting domestic interference in US elections.
While military cyber operations are still an option, there is widespread concern among current and former officials that the US government’s willingness to combat foreign efforts to shape elections has waned. The cuts to election security programs risk causing an exodus of expertise at US intelligence and security agencies that was built up over nearly a decade.
The cuts come even as the US intelligence community found, in a threat assessment released by the Office of the Director of National Intelligence Tulsi Gabbard, that foreign powers will continue to try to influence US elections.
“I find it devastating and deeply alarming for our national security,” said Mike Moser, a former election security specialist at DHS’ Cybersecurity and Infrastructure Security Agency, who resigned after the agency froze its election work last year. “To see those partnerships unilaterally dismantled is a tragedy. We are losing the human and technological infrastructure that protects our democracy.”
Foreign influence and propaganda tend to increase in years when general elections or midterms are held. But even in the off-year of 2025, groups tied to authoritarian regimes were weighing in on races like the New York City mayoral election.
Chinese state-owned media accounts repeatedly amplified Trump’s attacks on Zohran Mamdani, the Democrat who ended up winning New York’s mayoral election, according to disinformation-tracking firm Alethea Group. Some pro-Iranian influencer accounts, meanwhile, pivoted to attacking Mamdani as a “Zionist apologist” in October after Mamdani made overtures to Jewish voters in New York, Alethea said.
But by the time that election was held in November of last year, the cuts to election protection efforts had already taken hold.
The 2026 midterms could be a litmus test for how foreign adversaries respond to a US government that is less forceful in publicly combating influence operations.
“We’ve not had a disaster take place because, in many ways, the procedures and policies and tools set up during the first Trump administration helped keep us safe,” Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, told CNN. “We’re going into a (2026) election cycle with our guard down.”
Multiple government agencies and processes for countering foreign influence that are now being cut were set up during Trump’s first term, including a dedicated team at the FBI that tracked counterintelligence threats to elections.
In April, Trump fired Gen. Tim Haugh, the head of Cyber Command and the National Security Agency ,who had led numerous operations countering Russian meddling.
“The foundation that we built to protect our electoral process was driven by the first Trump administration’s direct guidance to NSA and Cyber Command — the focus that they put at CISA and FBI to counter foreign influence and then any potential hacking activity targeting our electoral process,” Haugh told CNN in his first interview on the subject since being fired. He declined to comment on any Cyber Command operations during the 2024 election.
Far-right activist and Trump confidant Laura Loomer had pushed for Haugh’s removal, publicly calling him “disloyal” to Trump due to the fact that he had served alongside former Chairman of the Joint Chiefs of Staff Gen. Mark Milley. Haugh has denied the allegation.
Nearly 10 years after Russian agents tried to influence the 2016 election through hacking and disinformation, Americans are arguably more susceptible to covert propaganda than ever, according to experts.
“This is just an enormous set of vulnerability for our nation,” Haugh said. “We have shown a decreasing ability to discern truth from fiction as a society.”
Cyber Command declined to comment for this story. The NSA referred to questions to ODNI.
Cuts to federal funding for cybersecurity services for election offices have forced those offices to scramble for alternative funds, said Paul Lux, a Republican who is the top election official for Okaloosa County, Florida.
Election officials are also unsure whether the FBI and CISA will continue to hold classified briefings for them on threats to elections, something those agencies have done for years.
The briefings were “illuminating,” Lux said. “They allowed me to personally connect some dots” by making the threats more tangible, he added.
The FBI had no comment when asked by CNN whether the briefings would continue.
A CISA spokesperson did not directly answer a question about the briefings but provided a statement that read, in part, “since January 2025, CISA has issued 38 joint cybersecurity advisories with law enforcement and international partners and provided threat intelligence guidance to combat evolving threats and protect critical infrastructure, and we will continue to ensure election officials remain informed of any emerging issues going forward.”
With or without federal security and intelligence support, election officials will be ready to do their job, Lux said. “Our mission doesn’t change. (It is to) provide safe, free and fair elections with as much transparency as possible.”
Dismantling offices
The same type of Russian trolls that Cyber Command took aim at in the 2024 election continue to churn out content. A Russian covert influence network focused on undermining Western support for Ukraine has set up at least 200 fake websites since last March to target audiences in the US, France and elsewhere, according to the cyber intelligence firm Recorded Future.
The concern among more than a dozen current and former officials who spoke to CNN is that the Trump administration took a hatchet, rather than a scalpel, to federal programs aimed at countering the type of influence operation that Recorded Future uncovered. The programs could have been downsized, rather than abruptly canceled, in a way that met the Trump administration’s goal of cutting bureaucratic red tape, the sources said.
The State Department’s Global Engagement Center, which focused on combating foreign propaganda, posted a massive US intelligence dump on Russian meddling prior to the 2024 election. (The Trump administration formally shut down the State Department center last April after Congress let its funding expire.)
ODNI’s Foreign Malign Influence Center, which was set up under then-President Joe Biden, turned intelligence on Russian AI-generated videos posted on X purporting to show voter fraud into public statements in the days before Election Day in 2024.
Without that center, it’s unclear which government agency would warn the public of such efforts.
In announcing the Foreign Malign Influence Center’s closure in August, ODNI said the center was “redundant” and that other elements of the intelligence community perform some of the same work. Some Republican lawmakers agree.
“I am confident ODNI and the (intelligence community) will remain poised to assess and warn policymakers of covert and overt foreign influence operations targeting (US government) policies and manipulating public opinion,” said Rick Crawford, an Arkansas Republican who chairs the House intelligence committee, in a statement to CNN.
But Haugh, who spent more than three decades in the Air Force, said the cuts at various federal agencies mean that the US government has fewer levers to pull to punish or expose foreign influence operations.
ODNI did not answer a detailed list of questions on how the agency plans to counter foreign influence, including whether ODNI has a top intelligence specialist dedicated to the issue, as it has had in years past. An ODNI spokesperson referred CNN to a previous agency statement saying the Foreign Malign Influence Center’s core functions would be moved to other parts of ODNI.
Gabbard said in August that ODNI would cut its workforce by over 40% and save taxpayers hundreds of millions of dollars in the process.
Trump’s new pick to replace Haugh and lead the NSA and Cyber Command, Lt. Gen. Joshua Rudd, pledged to protect the electoral process from foreign interference during his Senate confirmation hearing.
“Any foreign attempt to undermine the American process of democracy, and at the center of that is our electoral process, as you all know far better than I do, has got to be safeguarded,” Rudd told senators on January 15.
A sensitive subject
The FBI’s election security posture today has been shaped by Trump’s grievances over the bureau’s investigation into his 2016 campaign’s contacts with Russia and his false claims of a stolen 2020 election.
As president-elect in 2017, Trump was incsensed when then-FBI Director James Comey briefed him on the existence of a salacious, and later debunked, dossier about Trump gathered by a former British intelligence agent. Many see a through line between that day and the FBI’s current counterintelligence posture for elections.
“You could argue that where we are today happened because Comey briefed Trump, Trump got embarrassed and the rest is one big revenge tour,” said a former senior FBI counterintelligence official who served during the first Trump term and Biden’s term. They spoke on the condition of anonymity out of fear of retaliation from the Trump administration
If and when US officials speak publicly on foreign efforts to shape US democracy is an intensely delicate subject in the second Trump administration. Trump has bristled at US intelligence findings that Russia tried to influence the 2016 election in his favor, while Democrats have often exaggerated those findings to attack Trump.
A year after FBI agents were caught off-guard in 2016 by the scale of Russian hacking and propaganda aimed at voters, the bureau set up a Foreign Influence Task Force (FITF), a team of about 30 people to focus on the threat of foreign meddling. The task force passed intelligence about what foreign spies were doing on Facebook and Twitter to those social media platforms.
In February 2025, Attorney General Pam Bondi dissolved FITF, citing the need to “free resources to address more pressing priorities, and end risks of further weaponization and abuses of prosecutorial discretion.”
The impact of Bondi’s memo goes beyond FITF, according to current and former FBI officials. It’s a disincentive for any FBI agent to take up a case involving Russian election influence.
“Say the Russians influence the election again — I’m worried that we won’t know it until after the fact,” the ex-FBI official said.
In a statement to CNN, the FBI said it continues to pursue cases related to “foreign influence efforts by adversarial nations.”
“The Counterintelligence Division and our field offices work together to defend the homeland against all foreign influence efforts, including any attempts at election interference,” the FBI said.
The Cyber Command operation against Russian trolls in 2024 followed the Justice Department’s public disclosure that it had seized internet domains used by the trolls. US officials saw the hacking as an added, clandestine counter-punch to complement the law enforcement seizure. Under the second Trump administration, the public may not know if the Justice Department takes such an action leading up to an election.
After Trump won the 2024 election, a planning document used by his transition team and reviewed by CNN lamented a “surge in politicization and meddling in US politics by US intelligence agencies,” and said the Justice Department and the FBI should revisit how they communicate threats to the public, “e.g. in announcing indictments of foreign hackers or getting involved in threats to election security in partisan ways.”
Working with local election offices
Cyber Command, the NSA and other parts of the US intelligence community began playing a more prominent role in the cyber defense of US elections after the Russian intervention in 2016. The federal Cybersecurity and Infrastructure Security Agency emerged as a conduit between those powerful military and spy agencies and local election offices, building trust with those offices and passing on intelligence on foreign threats. Trump signed a law establishing CISA as a part of the Department of Homeland Security during his first term.
But Trump and his top advisers never forgave CISA’s leadership for saying the 2020 election was secure. They accused CISA of “censoring” conservative voices when in the first Trump term, at the urging of Republican and Democratic election officials, the agency flagged to social media platforms posts that spread false information about voting. The second Trump administration last year paused all of CISA’s election security work and reassigned the agency’s election specialists or put them on administrative leave
CISA spokespeople say the agency still offers some cybersecurity services to election offices, as it does other sectors. But election officials say the impact from the cuts to so many offices, including CISA, is clear.
A day after the US bombed Iranian nuclear facilities in June, pro-Iranian hackers breached an Arizona state election website and replaced candidates’ photos with an image of Iran’s Supreme Leader Ayatollah Ali Khamenei. It had echoes of 2020, when, according to the FBI, Iranian hackers set up a website with violent threats to election officials.
But while CISA was central to the federal response to the 2020 incident — and communicated proactively with election officials then — Arizona election officials now say they are not getting the same level of collaboration with the agency. In a statement to CNN, a CISA official said the agency “worked with Arizona and provided direct assistance to support their response efforts.”
The cuts to CISA have “drastically reduced national visibility into foreign threats and increased the potential for security failures,” Moser, the former CISA election security official, told CNN. “While state and local officials take great care to secure elections, now they are effectively being siloed and expected to combat sophisticated nation-state adversaries with severely limited federal support.”
A CISA spokesperson said: “Every day, DHS and CISA are providing our partners the most capable and timely threat intelligence, expertise, no-cost tools and resources these partners need to defend against risks.”
Foreign powers, with the help of artificial intelligence, will continue to target American voters with disinformation, the ODNI said in its annual worldwide threat assessment published in March.
“Reinforcing doubt in the integrity of the U.S. electoral system achieves one of (Russia’s) core objectives,” the intelligence report says.
China, in particular, is making alarming leaps in AI-powered influence activity, according to researchers at Vanderbilt University’s Institute of National Security. In August, the institute published documents leaked from a Chinese firm that appear to show it targeting the 2024 Taiwan election with a wave of social media posts. The Chinese firm has also put together profiles on at least 117 members of Congress and more than 2,000 American political figures and “thought leaders,” according to the research.
“This election cycle, foreign governments will be able to use AI tools to essentially whisper in the ear of anyone they target,” said Emerson Brooking, a former Pentagon cyber policy adviser who now studies influence operations at the Atlantic Council’s Digital Forensic Research Lab. “And the Trump team isn’t just unprepared; they’ve deliberately knocked down a lot of the defenses built over the past eight years.”
Last year, Gabbard and Iowa GOP Sen. Chuck Grassley released declassified intelligence documents related to the FBI and intelligence community’s probes of Russian influence on the 2016 election. Contrary to Gabbard’s public claims, the documents do not show the probes were a hoax. But they do show the lengths to which Russia’s SVR foreign intelligence service was willing to go either to impress their Kremlin bosses or to play mind games with US officials analyzing the hack, according to Michael van Landingham, a former CIA analyst, and Alex Orleans, a counterintelligence researcher.
That Americans are still arguing about Russia’s 2016 influence operations 10 years later is exactly what Russian intelligence hoped for, they said.
“SVR officers are definitely dining out on the fact that our national discourse still can’t fully escape the riptides of 2016,” Orleans told CNN.
CNN’s Katie Bo Lillis and Evan Perez contributed to this report.
politico.com
By John Sakellariadis
01/27/2026 03:30 PM EST
The interim director of the Cybersecurity and Infrastructure Security Agency triggered an internal cybersecurity warning with the uploads — and a DHS-level damage assessment.
The interim head of the country’s cyber defense agency uploaded sensitive contracting documents into a public version of ChatGPT last summer, triggering multiple automated security warnings that are meant to stop the theft or unintentional disclosure of government material from federal networks, according to four Department of Homeland Security officials with knowledge of the incident.
The apparent misstep from Madhu Gottumukkala was especially noteworthy because the acting director of the Cybersecurity and Infrastructure Security Agency had requested special permission from CISA’s Office of the Chief Information Officer to use the popular AI tool soon after arriving at the agency this May, three of the officials said. The app was blocked for other DHS employees at the time.
None of the files Gottumukkala plugged into ChatGPT were classified, according to the four officials, each of whom was granted anonymity for fear of retribution. But the material included CISA contracting documents marked “for official use only,” a government designation for information that is considered sensitive and not for public release.
Cybersecurity sensors at CISA flagged the uploads this past August, said the four officials. One official specified there were multiple such warnings in the first week of August alone. Senior officials at DHS subsequently led an internal review to assess if there had been any harm to government security from the exposures, according to two of the four officials.
It is not clear what the review concluded.
In an emailed statement, CISA’s Director of Public Affairs Marci McCarthy said Gottumukkala “was granted permission to use ChatGPT with DHS controls in place,” and that “this use was short-term and limited.” McCarthy added that the agency was committed to “harnessing AI and other cutting-edge technologies to drive government modernization and deliver on” Trump’s executive order removing barriers to America’s leadership in AI.
The email also appeared to dispute the timeline of POLITICO’s reporting: “Acting Director Dr. Madhu Gottumukkala last used ChatGPT in mid-July 2025 under an authorized temporary exception granted to some employees. CISA’s security posture remains to block access to ChatGPT by default unless granted an exception.”
Gottumukkala is currently the senior-most political official at CISA, an agency tasked with securing federal networks against sophisticated, state-backed hackers from adversarial nations, including Russia and China.
Any material uploaded into the public version of ChatGPT that Gottumukkala was using is shared with ChatGPT-owner OpenAI, meaning it can be used to help answer prompts from other users of the app. OpenAI has said the app has more than 700 million total active users.
Other AI tools now approved for use by DHS employees — such as DHS’s self-built AI-powered chatbot, DHSChat — are configured to prevent queries or documents input into them from leaving federal networks.
Gottumukkala “forced CISA’s hand into making them give him ChatGPT, and then he abused it,” said the first official.
All federal officials are trained on the proper handling of sensitive documents. According to DHS policy, security officials are also supposed to investigate the “cause and affect” of any exposure of official use documents, and determine the “appropriateness” of any administrative or disciplinary action. Depending on the circumstances, those could range from things like mandatory retraining or a formal warning, to more serious measures, like the suspension or revocation of a security clearance, said one of the four officials.
After DHS detected the activity, Gottumukkala spoke with senior officials at DHS to review what he uploaded into ChatGPT, said two of the four officials. DHS’s then-acting general counsel, Joseph Mazzara, was involved in the effort to assess any potential harm to the department, according to the first official. Antoine McCord, DHS’s chief information officer, was also involved, according to a second official.
Gottumukkala also had meetings this August with CISA’s chief information officer, Robert Costello, and its chief counsel, Spencer Fisher, about the incident and the proper handling of for official use only material, the four people said.
Mazzara and Costello did not respond to requests for comment. McCord and Fisher could not be reached for comment.
Gottumukkala has helmed the agency in an acting capacity since May, when he was appointed by DHS Secretary Kristi Noem as its deputy director. Donald Trump’s nominee to head CISA, DHS special adviser Sean Plankey, was blocked last year by Sen. Rick Scott (R-Fla.) over a Coast Guard shipbuilding contract. A date for his new confirmation hearing has not been set.
Gottumukkala’s tenure atop the agency has not been smooth — and this would not be his first security-related incident.
At least six career staff were placed on leave this summer after Gottumukkala failed a counterintelligence polygraph exam that he pushed to take, as POLITICO first reported. DHS has called the polygraph “unsanctioned.” Asked during Congressional testimony last week if he was “aware” of the failed test, Gottumukkala twice told Rep. Bennie Thompson (D-Miss.) that he did not “accept the premise of that characterization.”
And last week, Gottumukkala tried to oust Costello, CISA’s CIO, before other political appointees at the agency intervened to block the move.
ctrlaltnod.com
Emanuel DE ALMEIDA
January 29, 2026
SonicWall cloud breach led to ransomware attack affecting 74+ US banks and 400,000+ individuals via Marquis Software Solutions compromise.
TL;DR
Marquis Software Solutions suffered a ransomware attack on August 14, 2025, affecting over 74 U.S. banks and credit unions and compromising data of 400,000+ individuals
Investigation revealed attackers exploited configuration data stolen from SonicWall's cloud backup service breach in September 2025
State-sponsored hackers accessed SonicWall's MySonicWall cloud service via API calls, initially affecting "less than 5%" but later confirmed to impact all cloud backup customers
The attack bypassed Marquis's firewall defenses using stolen configuration files rather than exploiting CVE-2024-40766 as initially suspected
Marquis is pursuing legal recourse against SonicWall and evaluating options to recover expenses from the incident
Verified Timeline
August 14, 2025 — Marquis Software Solutions detected suspicious network activity and confirmed ransomware attack, initiated investigation with cybersecurity experts
September 17, 2025 — SonicWall disclosed security incident involving unauthorized access to MySonicWall cloud backup files, initially reporting less than 5% of firewall customers affected
October 9, 2025 — SonicWall updated disclosure, confirming all customers using cloud backup service were impacted
November 5, 2025 — SonicWall attributed breach to state-sponsored hackers who accessed cloud backup files via API call
December 3, 2025 — Marquis began notifying affected banks and credit unions about data breach from August ransomware attack
January 29, 2026 — Marquis publicly attributed ransomware attack to exploitation of configuration data from SonicWall's cloud backup breach
What We Know vs. What's Unclear
Confirmed
State-sponsored hackers breached SonicWall's MySonicWall cloud service in September 2025
All SonicWall customers using cloud backup service were affected, not just 5% as initially reported
Attackers accessed firewall configuration backup files via API calls
Marquis ransomware attack on August 14, 2025 affected 74+ U.S. financial institutions
Over 400,000 individuals had personal information compromised
Attackers used stolen SonicWall configuration data to circumvent Marquis firewall defenses
CVE-2024-40766 was not the primary attack vector as initially suspected
Unclear or Unconfirmed
Identity of the state-sponsored threat group behind SonicWall breach
Specific ransomware family used in Marquis attack
Exact method attackers used configuration data to bypass security controls
Whether the same threat actors were responsible for both SonicWall breach and Marquis attack
Full scope of additional organizations potentially compromised using stolen SonicWall data
Timeline between SonicWall data theft and Marquis attack initiation
Who Is Affected
This interconnected breach affected multiple stakeholder groups across the financial services sector:
Primary Victims: Marquis Software Solutions, a Texas-based financial services provider, serves as the central victim of the ransomware attack that leveraged stolen SonicWall configuration data.
Financial Institutions: Over 74 U.S. banks and credit unions that utilize Marquis services experienced data exposure. These institutions face potential regulatory scrutiny, customer trust erosion, and compliance obligations under financial data protection regulations.
Individual Consumers: More than 400,000 individuals associated with affected financial institutions had sensitive personal information compromised, including Social Security numbers, Taxpayer Identification Numbers, financial account details, and personal identifiers.
SonicWall Customers: All customers using SonicWall's MySonicWall cloud backup service experienced configuration file exposure, potentially enabling similar attacks against other organizations using compromised firewall settings.
Broader Impact: The incident demonstrates supply chain vulnerability risks, where third-party service breaches can enable downstream attacks against customers who may have maintained otherwise secure configurations.
Technical Details
SonicWall Breach Vector: State-sponsored hackers accessed SonicWall's MySonicWall cloud service through API calls, successfully extracting firewall configuration backup files stored in the cloud environment. The breach occurred in September 2025, with SonicWall initially underestimating the scope before confirming all cloud backup customers were affected.
CVE-2024-40766 Context: Initially suspected as the attack vector, CVE-2024-40766 represents an improper access control vulnerability in SonicWall's SSLVPN feature that allows authentication bypass. This critical vulnerability was patched by SonicWall in August 2024, but investigators determined it was not the primary attack method used against Marquis.
Attack Methodology: Rather than exploiting unpatched vulnerabilities, attackers leveraged configuration data stolen from SonicWall's cloud service to understand and circumvent Marquis's firewall defenses. The specific technical methods used to weaponize configuration files have not been disclosed.
Ransomware Details: The specific ransomware family deployed against Marquis has not been publicly disclosed. The incident reflects broader trends where ransomware groups adopt new tactics to maximize impact and evade traditional security measures. Technical indicators of compromise and malware signatures remain unavailable in public reporting.
CVSS Scoring: CVE-2024-40766 maintains critical severity ratings, though specific CVSS scores were not confirmed in available sources. The vulnerability's critical classification reflects its potential for authentication bypass in SSLVPN implementations.
Detection & Validation
Organizations can implement several detection strategies to identify potential exploitation of stolen configuration data:
Firewall Configuration Monitoring: Implement continuous monitoring of firewall rule changes, VPN configuration modifications, and access control list updates. Establish alerts for unauthorized configuration changes or suspicious administrative access patterns.
Network Traffic Analysis: Monitor for unusual network traffic patterns that might indicate attackers leveraging knowledge of internal network configurations. Focus on connections to previously unknown external IP addresses or unexpected internal network traversal.
Authentication Log Review: Examine VPN and administrative access logs for successful authentication attempts using compromised credentials or from unexpected geographic locations. Look for authentication events occurring outside normal business hours.
API Activity Monitoring: For organizations using cloud-based firewall management services, monitor API call patterns and authenticate all management interface access. Implement alerting for bulk configuration downloads or unusual API usage patterns.
Endpoint Detection: Deploy endpoint detection and response tools to identify lateral movement techniques that attackers might employ after gaining initial access through compromised firewall configurations.
Specific IOCs: Specific indicators of compromise related to this incident have not been publicly disclosed by affected organizations or security vendors.
Mitigation & Hardening
Immediate Credential Reset: Reset all credentials, API keys, and authentication tokens used by users, VPN accounts, and administrative services. This includes service accounts and automated system credentials that may have been exposed in configuration files.
Firewall Configuration Audit: Conduct comprehensive review of current firewall rules, VPN configurations, and access control policies. Compare current settings against known-good baselines to identify unauthorized modifications.
Multi-Factor Authentication Implementation: Deploy MFA across all administrative interfaces, VPN connections, and cloud management portals. Prioritize hardware-based tokens or certificate-based authentication for high-privilege accounts.
Network Segmentation Review: Reassess network segmentation strategies to limit potential lateral movement if perimeter defenses are compromised. Implement zero-trust principles for internal network communications.
Cloud Service Security Assessment: Evaluate security posture of all third-party cloud services, particularly those handling configuration data or backup files. Implement additional encryption and access controls where possible.
Patch Management Acceleration: Ensure all network security devices receive priority patching, particularly SonicWall devices that should be updated to address CVE-2024-40766 and other known vulnerabilities.
Monitoring Enhancement: Deploy enhanced network monitoring tools to detect configuration-based attacks and unusual administrative activity. Establish baselines for normal network behavior patterns.
Incident Response Planning: Update incident response procedures to address supply chain compromise scenarios where third-party service breaches enable downstream attacks.
FAQ
How did attackers use SonicWall configuration data to compromise Marquis?
According to Marquis's statement, attackers leveraged configuration data extracted from SonicWall's cloud backup breach to circumvent their firewall defenses. The stolen configuration files likely contained network topology information, firewall rules, and security policies that attackers used to identify weaknesses and craft targeted bypass techniques. Specific technical details of how configuration data was weaponized have not been publicly disclosed.
Were SonicWall customers who don't use cloud backup affected?
No, the SonicWall breach specifically affected customers using the MySonicWall cloud backup service. Organizations that maintain local-only firewall configurations and don't utilize SonicWall's cloud backup features were not directly impacted by the configuration file theft. However, all SonicWall customers should ensure they have applied patches for CVE-2024-40766 and other known vulnerabilities.
What legal action is Marquis taking against SonicWall?
Marquis has indicated they are evaluating options with respect to SonicWall, including seeking recoupment of expenses incurred due to the incident. The company has not specified whether formal legal proceedings have been initiated, but they are exploring potential avenues for recovering costs related to the breach investigation, customer notification, and remediation efforts.
How can organizations protect against similar supply chain attacks?
Organizations should implement multiple defensive layers including vendor risk assessments, contractual security requirements for third-party services, monitoring of cloud service provider security bulletins, and incident response procedures that account for supply chain compromises. Recent incidents like Ingram Micro's ransomware attack and ransomware attacks on major firms demonstrate the importance of maintaining defense-in-depth strategies that ensure single points of failure in vendor services don't compromise entire security postures. Organizations should also stay informed about emerging threats, such as new ransomware techniques being adopted by threat actors.
