Brute-force cyberattacks originating in Middle East surge in Q1 - Cybersecurity Dive

Brute-force cyberattacks originating in Middle East surge in Q1 Hackers have primarily targeted SonicWall and Fortinet FortiGate devices, according to researchers. Published April 14, 2026 David Jones Reporter Share License Add us on Google Getty Images A surge of brute force authentication attacks targeted network devices during the first quarter of 2026, with the vast majority of threat activity coming from the Middle East, according to a report released Tuesday by Barracuda.  Almost 90% of the brute-force attacks originated from various Middle East locations, and the leading targets were SonicWall and Fortinet FortiGate devices, according to Barracuda researchers. These attacks accounted for more than half of all of the threat activity tracked by Barracuda between February and March.  “These attacks were identified based on the geo-location of the IPs involved, nearly all originating from the Middle East,” Anthony Fusco, manager of cybersecurity analysts at Barracuda, told Cybersecurity Dive.  Fusco noted that IP addresses alone are not considered a reliable indicator, but said it was “safe to assume” that a combination of state-linked and professional groups were involved. Attacks from opportunistic groups were also likely involved.  Hackers have been aggressively scanning perimeter devices for weak or exposed credentials, according to the blog post.  The surge in brute force activity coincided with increased targeting from Iran-nexus groups after the U.S. and Israel launched a bombing campaign in late February. U.S. authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency, warned last week that Iran-linked hackers have targeted water, energy and other critical infrastructure sites in the U.S.  Barracuda researchers could not explicitly link the surge in threat activity to the war, but the timeline overlaps with increased tension in the region.  Security teams should enforce the use of multifactor authentication on firewalls and VPNs and use complex passwords, according to Barracuda. Also, organizations should monitor for repeated, failed login attempts.  The focus on SonicWall and Fortinet is not unexpected, according to researchers. These devices are considered “high-value targets for initial access,” as they sit at the edge of remote access.  SonicWall customers in late summer 2025 were hit by a wave of brute force attacks against the MySonicWall cloud backup service. Those attacks were linked to a state-sponsored threat actor.  FortiGate appliances have been targeted in recent months by hackers using malicious single-sign-on logins, according to researchers at Arctic Wolf. Add us on Google Share PURCHASE LICENSING RIGHTS Filed Under: Threats