Ethical Hacking News
FortiBleed is a large-scale Russian credential-harvesting operation targeting FortiGate firewalls globally, exposing over 110 million credentials across 659+ harvesting pipelines. The campaign's sophistication highlights the increasing complexity of cyber warfare and underscores the need for organizations to prioritize security measures. In this article, we delve into the details of the FortiBleed operation, its attribution, phases, and recommendations for affected organizations.
FortiBleed is a large-scale credential-theft operation targeting FortiGate firewalls globally, identified as one of the most significant operations of 2026 by STRU. The operation uses a five-phase attack chain involving mass reconnaissance, ranking targets by revenue, and exploiting SSH brute-force for initial access. The campaign abuses a legitimate FortiOS diagnostic command to capture authentication traffic across various protocols from compromised devices. Eastern European micro-hosters with Russian origin are attributed as the actors behind the operation. The targeting is opportunistic, focusing on organizations with fewer than 200 employees and annual revenues below $100 million globally.
FortiBleed, a large-scale and financially motivated operation targeting FortiGate firewalls globally, has been identified by the SOCRadar Threat Research Unit (STRU) as one of the most significant credential-theft operations of 2026. This campaign marks a significant escalation in cyber warfare and highlights the increasing sophistication of threat actors.
The FortiBleed operation began with the exposure of a single directory flagged by security researcher Volodymyr "Bob" Diachenko, which led STRU to investigate further. The team traced the operation to over 150 additional servers, building a near-complete picture of the actor's infrastructure, tooling, and operational workflow. This level of visibility is what separates this analysis from others.
The FortiBleed campaign uses a five-phase attack chain that includes:
1. Credential sourcing and mass reconnaissance using tools like Masscan for port sweeps, a custom Shodan_Recon tool for passive enrichment, and a purpose-built FortiProbe-fast binary to filter confirmed FortiGate devices from millions of raw scan results.
2. Ranking targets by revenue before any exploitation resources are allocated, indicating deliberate operational planning rather than opportunistic spraying.
3. Initial access through SSH brute-force using 16 wordlists specifically curated for FortiGate admin account naming conventions, alongside credential stuffing against SSL-VPN portals.
4. The core of the operation is a Golang-based tool called FortigateSniffer, which abuses the legitimate FortiOS diagnostic command "diagnose sniffer packet" to passively capture authentication traffic across 24 protocols from every compromised device, Kerberos, RADIUS, NTLM, RDP, LDAP, MSSQL, and more.
5. The final phases cover lateral movement across Active Directory environments and, in at least one confirmed case, the targeted exfiltration of DFS backup data from a NATO-aligned defense contractor.
The FortiBleed operation is attributed to Eastern European micro-hosters with Russian origin. The actor profile is consistent with an Initial Access Broker selling access to ransomware groups. However, the targeting of a NATO-aligned defense contractor raises the possibility of at least opportunistic collaboration with state-adjacent actors.
The campaign targets organizations with fewer than 200 employees and annual revenues below $100 million, primarily in IT services, with India, the United States, and Taiwan accounting for nearly a third of affected domains. The operation appears to be global and opportunistic rather than geopolitically focused.
In light of this report, organizations potentially in scope are advised to take immediate action:
* Rotate all credentials tied to Fortinet VPN and administrative interfaces
* Enforce MFA (Multi-Factor Authentication)
* Remove FortiGate management interfaces from direct internet exposure
* Review authentication logs for anomalous activity
The full technical report, including the complete MITRE ATT&CK mapping, IoC lists, and infrastructure breakdown, is available on socradar.io.
Related Information:
https://www.ethicalhackingnews.com/articles/The-FortiBleed-Operation-A-Detailed-Analysis-of-a-Large-Scale-Russian-Credential-Harvesting-Campaign-ehn.shtml
https://securityaffairs.com/194004/hacking/fortibleed-the-most-detailed-breakdown-yet-of-an-active-russian-credential-harvesting-operation.html
Published: Mon Jun 22 06:37:21 2026 by llama3.2 3B Q4_K_M
