Sweeping Credential-Harvesting Heist Compromises +30K Fortinet Devices
A Russian-speaking threat actor has compromised over 30,000 Fortinet firewalls and VPN gateways across 194 countries in an automated credential-harvesting campaign that feeds stolen passwords back into the attack chain.
A large-scale cyber espionage and credential-harvesting operation is actively targeting Fortinet firewalls and VPN gateways, and has already compromised more than 30,000 Internet-facing devices across nearly 200 countries. Researchers from SOCRadar discovered the campaign, which they believe is the work of a Russian-speaking threat actor, when they found an exposed operational server belonging to attackers. This gave them visibility into the group's tooling, victim database, automation infrastructure, and verified credential repository, according to a report published Tuesday.
The attacker's database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries. "These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock," SOCRadar noted. The compromised devices so far comprise 21,108 unique IP addresses and 8,316 unique domains across government, telecommunications, healthcare, education, financial services, and critical infrastructure sectors. Telecommunications accounted for over 5,600 compromised devices, while government organizations represented 591 across 111 domains. Enterprise organizations generating more than $1 billion in annual revenue comprised over 20% of affected devices, and India and the United States accounted for nearly one-third of all identified credential compromises.
The operation is built around a self-sustaining, fully automated attack chain. Attackers scan the Internet for Fortinet devices and then employ credential reuse, credential stuffing, and password spraying against exposed Fortinet management and VPN interfaces. They used previously leaked Fortinet credentials and continuously validated successful logins through automated scanning infrastructure. Once a device is compromised, attackers "use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by," according to the report. The freshly collected passwords are then fed back into the scanner to compromise even more devices so that "the system feeds itself."
Analysis found that the firewalls and VPNs compromised often demonstrated security weaknesses in the targeted network infrastructure. Many were either generic administrator accounts, default or built-in Fortinet system accounts, or long-lived accounts with passwords that had never been rotated after previous breaches. SOCRadar emphasized that they did not find any evidence of exploitation of a Fortinet flaw in the operation and are considering it strictly as a credential-compromise campaign, one that should be taken seriously.
Given that the attack remains active and "Fortinet firewalls and VPN gateways are among the most widely deployed network security devices in the world," the ongoing threat is rated as "critical" and demanding immediate response from affected organizations. "If your organization uses a Fortinet firewall or VPN product and appears in this dataset, treat your network perimeter as already compromised and act immediately," according to SOCRadar.
SOCRadar also determined that the attack seems consistent with Russian-speaking threat actors, considering that the tooling, infrastructure choices, and victim selection was "heavily weighted toward organizations in NATO member countries." These attackers also appear to be motivated not only by financial gain but also potential cyberespionage, as credentials for what appears to be a defense industry VPN endpoint were among the recovered data. Though the operation seems highly professional, the attackers did make a significant mistake in leaving a server exposed that revealed clues to their identities and motives.
The campaign demonstrates the scale at which attackers can successfully weaponize credential reuse and poor password hygiene, especially when they use automation as a core part of their attack strategy. Any organization using Fortinet firewalls or VPNs should take immediate action, including the immediate rotation of all administrative and VPN credentials, enabling MFA on all remote-access and administrative accounts, reviewing authentication and VPN logs for suspicious access, removing public exposure of management interfaces where possible, and upgrading devices to all current firmware versions.
New research from Hudson Rock and Volodymyr Diachenko has dramatically revised the scale of the campaign upward, revealing over 73,932 compromised Fortinet firewall URLs across 194 countries — more than double the earlier estimate of 30,000 devices. The attackers have now been confirmed to have exfiltrated classified defense documents from a Turkish NATO contractor, and the verified victim list includes Foxconn, Samsung, Siemens, PwC, and Comcast. The group is also cracking intercepted SSL VPN authentication hashes offline using a dedicated 45-GPU cluster managed via Hashtopolis, a detail not previously reported.
The Register reports that the campaign, now dubbed FortiBleed, has compromised approximately 75,000 devices — more than double the earlier estimate of 30,000 — and affected 21,632 unique domains including FoxConn, Samsung, and Comcast. Hudson Rock and researcher Kevin Beaumont verified the stolen credentials as legitimate, with many compromised devices running recent firmware patches, and Shodan data suggests the heist comprises about half of all internet-facing Fortinet firewalls. The attackers fully compromised at least four organizations, including a Turkish NATO defense contractor where classified documents were stolen.