Essential Insights
- A financially motivated threat actor deployed a custom Golang-based tool, FortigateSniffer, to infiltrate over 430,000 FortiGate firewalls globally, harvesting more than 110 million credentials since at least February 2026.
- The operation employed passive sniffing using built-in diagnostic commands, extracting sensitive data across 24 protocols, with evasion techniques like geo-fencing and business-hour scheduling to evade detection.
- The attacker conducted multi-phase operations including reconnaissance, brute-force access, passive credential harvesting, hash cracking with GPU clusters, lateral movement, and direct exfiltration of data, notably targeting a NATO-aligned defense contractor.
- The campaign, ongoing as of mid-June 2026, affected organizations primarily in the IT services sector across India, the U.S., Taiwan, Mexico, and Turkey, with vulnerabilities notably in mid-sized enterprises lacking dedicated security teams.
The Issue
A malicious threat actor has launched an extensive credential-stealing campaign called FortiBleed, targeting over 430,000 FortiGate firewalls worldwide. This attacker, believed to be motivated by financial gain and possibly linked to Russian origins, used a custom Golang tool named FortigateSniffer to silently intercept authentication data. They operated from at least February 2026 until mid-June 2026, performing nearly 660 harvest cycles. The tool, disguised with Russian comments, exploited FortiOS’s diagnostic commands rather than deploying malware, enabling passive, covert collection of credentials across multiple protocols such as RADIUS, LDAP, and Kerberos. The attacker’s sophisticated methodology involved reconnaissance, targeted brute-force attacks, deploying the sniffer, cracking harvested hashes, and finally exfiltrating large volumes of sensitive data, including credentials and session cookies.
This campaign has compromised thousands of devices, including those belonging to a NATO-aligned defense contractor, and exposed over 23,000 domains, most of which belonged to smaller organizations with limited security resources. The infiltrated firewalls were turned into passive listening stations, allowing the threat actor to harvest sensitive credentials without immediate detection. The incident prompted urgent advisories from CISA warning organizations to bolster their Fortinet device security. Meanwhile, ongoing updates and evidence suggest the threat remains active, highlighting the persistent danger posed by financially motivated cybercriminal groups exploiting well-known vulnerabilities in network security devices.
Risk Summary
The issue of hackers exploiting the FortigateSniffer tool to turn compromised firewalls into password collectors poses a serious threat to any business. When attackers compromise a firewall, they can secretly capture sensitive login information, including employee credentials and customer data. As a result, your business could face data breaches, financial losses, and damage to reputation. Moreover, this breach may go unnoticed for weeks or months, allowing hackers to access internal networks, steal confidential information, or launch further attacks. Therefore, all businesses must recognize that such vulnerabilities can occur unexpectedly, making proactive security measures essential to prevent potential devastation.
Fix & Mitigation
Timely remediation is crucial when hackers leverage tools like FortigateSniffer to turn firewalls into password collectors, as delays can lead to widespread credential theft and severe compromise of organizational security. Rapid response helps contain the attack, minimize damage, and restore trusted security posture before attackers escalate their access.
Containment Measures
Isolate affected firewalls from the network to prevent further data exfiltration or lateral movement by attackers.
Identification
Conduct thorough diagnostics to confirm the presence of the FortigateSniffer tool and determine the scope of compromise.
Removal
Remove malicious scripts or malware associated with the tool from affected firewalls; disable or reset compromised devices.
Patch & Update
Apply the latest firmware updates and security patches to vulnerable firewalls to address known exploits and weaknesses.
Password Reset
Immediately change all passwords stored or cached on affected firewalls and inform users to update their credentials.
Enhanced Monitoring
Increase surveillance on network activity focusing on unusual data flows or unauthorized access patterns.
Review & Audit
Perform comprehensive logs analysis and security audits to understand breach origins and prevent future incidents.
Strengthen Policies
Update security policies to restrict unauthorized access, enforce least privilege, and require multi-factor authentication.
User Education
Train staff on security best practices and recognition of suspicious activities to bolster organizational cyber defenses.
Explore More Security Insights
Discover cutting-edge developments in Emerging Tech and industry Insights.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
