[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLBxutZS99jA5XKiOkbTTYsz7h9RXFysdMV8retCpA48":3},{"article":4,"iocs":57},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"e62d812b-7e78-403f-a551-e958efa2a0ed","Russian Initial Access Broker Behind FortiBleed Campaign","russian-initial-access-broker-behind-fortibleed-campaign-93f9ff","Using a custom sniffer, the threat actor has captured over 110 million credentials since at least February 2026. The post Russian Initial Access Broker Behind FortiBleed Campaign appeared first on SecurityWeek.","A Russian initial access broker is behind the FortiBleed campaign, targeting over 430,000 FortiGate firewalls and other network devices since at least February. The operation uses custom tools like FortigateSniffer to capture and crack over 110 million credentials, potentially exposing entire identity layers and supply chains. The campaign's scope includes various VPNs and authentication protocols, with a recent compromise of a NATO-aligned defense contractor suggesting possible links to state-sponsored groups or sales to ransomware gangs.","Russian IAB targets 430k FortiGate firewalls, harvesting 110M credentials via FortiBleed campaign.","A Russian initial access broker (IAB) is targeting over 430,000 FortiGate firewalls as part of the FortiBleed credential-harvesting campaign, SOCRadar reports. Discovered last week, the campaign has been ongoing since at least February, and was initially believed to be Fortinet-exclusive. But it is not. In a fresh report (PDF), SOCRadar explains that FortiBleed is in fact a multi-vendor credential and access operation, likely mounted by a financially motivated threat actor. “Attackers compromise exposed firewalls, harvest the authentication traffic and credentials passing through them, crack what they capture, and sell that access on,” the company told SecurityWeek. Over 430,000 FortiGate firewalls worldwide are within the scope of the campaign and, of the 80,000 identified targets, more than 19,000 are still being actively sniffed, using a custom Golang tool dubbed FortigateSniffer. The cybersecurity company’s investigation has uncovered hundreds of servers and more than 650 credential-harvesting pipelines used as part of the operation. Overall, it estimates that more than 110 million credentials were compromised.Advertisement. Scroll to continue reading. “Because the firewall sits at the network edge, a compromise there can expose an organization’s entire identity layer — and the campaign reaches deep into supply chains, since MSPs and IT-services firms that manage Fortinet devices for others are squarely in the targeting,” SOCRadar says. As part of the campaign, the threat actor uses tools such as Masscan and Shodan to identify vulnerable FortiGate appliances, and then compromises them in SSH brute-force attacks. Next, they deploy network sniffers to capture cleartext credentials and password hashes, and then crack, validate, and use them for lateral movement against Active Directory domains and other services. Ultimately, the attackers exfiltrate sensitive data from network shares and rely on stolen session cookies to establish persistent access to the compromised environments. FortigateSniffer, the most important tool in the operation, abuses the legitimate FortiOS diagnostic command to passively capture authentication traffic across 24 protocols. The sniffer was likely built with the assistance of the AI-powered autonomous penetration testing agent CyberStrike. The earliest artifacts associated with the campaign are from February and point to the scanning of Sophos SSL-VPN and RDWeb portals. MSSQL credentials, RDPs, Citrix SSL-VPNs, and RADIUS, NTLM, and Kerberos data are also within the campaign’s scope. SOCRadar identified two credential sources maintained by the attackers. One combines data from previous leaks with purchased datasets, targeting multiple vendors, and the other includes 16 dictionaries specifically curated for FortiGate admin accounts. “This large-scale data collection culminated on June 15 with the successful offline cracking of Kerberos hashes and the immediate, targeted exfiltration of DFS backup data from a NATO-aligned defense contractor,” SOCRadar notes. The defense contractor’s compromise suggests the threat actor behind FortiBleed, likely a Russian-speaking IAB, may collaborate with Russian state-sponsored groups. However, it may also sell acquired access to ransomware gangs. “The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees. The actor targets multiple sectors and regions, with notable emphasis on the United States and India,” SOCRadar says. Related: Fortinet Responds to FortiBleed Campaign Related: Decades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User Data Related: Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data Related: The Zero-Knowledge Threat Actor and the End of Responsible Disclosure Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Fortinet Responds to FortiBleed CampaignMore Cybersecurity Firms Disclose Impact From Klue HackCryptoBandits Malware Doubles as a Backdoor, Abuses TorFortiBleed: 86,000 Fortinet Device Credentials CompromisedCybersecurity Firms Impacted by Klue Supply Chain Attack15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown Majority of Internet-Accessible REDCap Servers OutdatedDream Raises $260 Million at $3 Billion Valuation Latest News FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS AppliancesOpenAI Refocuses Cybersecurity Efforts on Patching Over DiscoveryCanadian Electricity Provider London Hydro Discloses Data BreachTrump Signs Executive Order Accelerating Post-Quantum Cryptography Migration Xsolis Data Breach Affects 1.4 Million IndividualsDecades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User DataAttackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress DataNorth Korean Hackers Blamed for Mastra NPM Supply Chain Attack Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveSolarWinds has appointed Justin Henkel as Chief Information Security Officer.J. Paul Haynes has joined Cinchy as Chief Executive Officer.Hatem Naguib has become Chief Executive Officer at Sysdig.More People On The MoveExpert Insights What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Frussian-initial-access-broker-behind-fortibleed-campaign\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F09\u002FRussian-hacking.jpeg","2026-06-23T10:30:46+00:00","2026-06-23T12:00:19.417527+00:00",9,[18,21,24,27,30,32],{"name":19,"type":20},"Russian Initial Access Broker","threat_actor",{"name":22,"type":23},"FortiGate","product",{"name":25,"type":26},"Fortinet","vendor",{"name":28,"type":29},"Firewall","technology",{"name":31,"type":29},"Active Directory",{"name":33,"type":23},"CyberStrike","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":34,"icon":36,"name":37,"slug":38},null,"Threat Intelligence","threat-intelligence",[40,45,50,55],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":56},{"id":34,"icon":36,"name":37,"slug":38},[58],{"type":54,"value":59,"context":60},"FortigateSniffer","Custom Golang tool used for credential harvesting in the FortiBleed campaign."]