Security WeekArchived Jun 23, 2026✓ Full text saved
Using a custom sniffer, the threat actor has captured over 110 million credentials since at least February 2026. The post Russian Initial Access Broker Behind FortiBleed Campaign appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
A Russian initial access broker (IAB) is targeting over 430,000 FortiGate firewalls as part of the FortiBleed credential-harvesting campaign, SOCRadar reports.
Discovered last week, the campaign has been ongoing since at least February, and was initially believed to be Fortinet-exclusive. But it is not.
In a fresh report (PDF), SOCRadar explains that FortiBleed is in fact a multi-vendor credential and access operation, likely mounted by a financially motivated threat actor.
“Attackers compromise exposed firewalls, harvest the authentication traffic and credentials passing through them, crack what they capture, and sell that access on,” the company told SecurityWeek.
Over 430,000 FortiGate firewalls worldwide are within the scope of the campaign and, of the 80,000 identified targets, more than 19,000 are still being actively sniffed, using a custom Golang tool dubbed FortigateSniffer.
The cybersecurity company’s investigation has uncovered hundreds of servers and more than 650 credential-harvesting pipelines used as part of the operation. Overall, it estimates that more than 110 million credentials were compromised.
“Because the firewall sits at the network edge, a compromise there can expose an organization’s entire identity layer — and the campaign reaches deep into supply chains, since MSPs and IT-services firms that manage Fortinet devices for others are squarely in the targeting,” SOCRadar says.
As part of the campaign, the threat actor uses tools such as Masscan and Shodan to identify vulnerable FortiGate appliances, and then compromises them in SSH brute-force attacks.
Next, they deploy network sniffers to capture cleartext credentials and password hashes, and then crack, validate, and use them for lateral movement against Active Directory domains and other services.
Ultimately, the attackers exfiltrate sensitive data from network shares and rely on stolen session cookies to establish persistent access to the compromised environments.
FortigateSniffer, the most important tool in the operation, abuses the legitimate FortiOS diagnostic command to passively capture authentication traffic across 24 protocols. The sniffer was likely built with the assistance of the AI-powered autonomous penetration testing agent CyberStrike.
The earliest artifacts associated with the campaign are from February and point to the scanning of Sophos SSL-VPN and RDWeb portals. MSSQL credentials, RDPs, Citrix SSL-VPNs, and RADIUS, NTLM, and Kerberos data are also within the campaign’s scope.
SOCRadar identified two credential sources maintained by the attackers. One combines data from previous leaks with purchased datasets, targeting multiple vendors, and the other includes 16 dictionaries specifically curated for FortiGate admin accounts.
“This large-scale data collection culminated on June 15 with the successful offline cracking of Kerberos hashes and the immediate, targeted exfiltration of DFS backup data from a NATO-aligned defense contractor,” SOCRadar notes.
The defense contractor’s compromise suggests the threat actor behind FortiBleed, likely a Russian-speaking IAB, may collaborate with Russian state-sponsored groups. However, it may also sell acquired access to ransomware gangs.
“The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees. The actor targets multiple sectors and regions, with notable emphasis on the United States and India,” SOCRadar says.
Related: Fortinet Responds to FortiBleed Campaign
Related: Decades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User Data
Related: Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data
Related: The Zero-Knowledge Threat Actor and the End of Responsible Disclosure
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
North Korean Hackers Blamed for Mastra NPM Supply Chain Attack
Fortinet Responds to FortiBleed Campaign
More Cybersecurity Firms Disclose Impact From Klue Hack
CryptoBandits Malware Doubles as a Backdoor, Abuses Tor
FortiBleed: 86,000 Fortinet Device Credentials Compromised
Cybersecurity Firms Impacted by Klue Supply Chain Attack
15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown
Majority of Internet-Accessible REDCap Servers Outdated
Latest News
Algerian Man Extradited to US for Running Cybercrime Marketplaces
FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances
OpenAI Refocuses Cybersecurity Efforts on Patching Over Discovery
Canadian Electricity Provider London Hydro Discloses Data Breach
Trump Signs Executive Order Accelerating Post-Quantum Cryptography Migration
Xsolis Data Breach Affects 1.4 Million Individuals
Decades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User Data
Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data
Trending
Webinar: How Modern Breaches Bypass MFA And Evade Detection
June 17, 2026
Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.
Register
Webinar: Modern Exposure Validation In The AI Era
June 24, 2026
AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.
Register
People on the Move
SolarWinds has appointed Justin Henkel as Chief Information Security Officer.
J. Paul Haynes has joined Cinchy as Chief Executive Officer.
Hatem Naguib has become Chief Executive Officer at Sysdig.
More People On The Move
Expert Insights
What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks
Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George)
No Exploits Required
Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley)
After AI Reaches Production: 12 Ways Security Teams Can Take Control
Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb)
Everybody Is Vibe Coding But Nobody Told The Security Team
AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au)
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Flipboard
Reddit
Whatsapp
Email