A sophisticated, financially motivated Russian-speaking initial access broker (IAB) has been identified as the orchestrator behind "FortiBleed," a massive credential-harvesting operation that has compromised over 430,000 FortiGate firewalls globally. Active since February 2026, this extensive campaign meticulously collects credential lists, probes for exposed services, executes brute-force attacks on accessible systems, and deploys custom-built sniffers on compromised network appliances, posing a significant threat to organizations worldwide.
Unveiling the Mechanics of FortiBleed
The core of the FortiBleed operation revolves around a multi-stage attack chain designed to infiltrate network perimeters and exfiltrate sensitive authentication data. According to a detailed report by SOCRadar, the campaign begins with reconnaissance, identifying FortiGate devices exposed to the internet. Following identification, the threat actors initiate brute-force attacks, attempting to guess login credentials to gain initial access. Once inside, they deploy a custom Golang-based tool named FortigateSniffer. This bespoke malware leverages a built-in FortiOS diagnostic command, diagnose sniffer packet, to passively intercept authentication traffic flowing through the compromised firewalls.
The FortigateSniffer tool is engineered for precision, capable of monitoring traffic across 24 distinct protocols. Its primary function is to parse authentication data and meticulously extract both cleartext and hashed credentials. "Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar stated in its comprehensive report. The extracted credentials are then subjected to a rigorous cracking process, validated for authenticity, and subsequently reused against Active Directory domains and other exposed services within the victims’ networks. This methodical approach ensures that the attackers can expand their foothold beyond the initial firewall compromise, potentially gaining access to a wide array of internal systems and sensitive data. The financial motivation of the IAB drives this entire process, as harvested credentials and access pathways are typically sold to other cybercriminal groups for further exploitation.
The Role of AI in Offensive Security
An intriguing aspect of the FortiBleed campaign is the suspected integration of artificial intelligence (AI) and open-source offensive security platforms into the attacker’s workflow. Analysts believe the threat actors may have leveraged an open-source, AI-native offensive security platform dubbed CyberStrike to automate or assist with specific segments of their operations. This suspicion is amplified by the fact that another open-source framework, CyberStrikeAI, was implicated in a separate automated mass scanning campaign targeting FortiGate devices earlier in 2026, a campaign exposed by Amazon Threat Intelligence.
The potential use of AI-powered tools like CyberStrike underscores a growing trend in the cybercrime landscape. These platforms can significantly enhance the speed, scale, and sophistication of attacks by automating tasks such as vulnerability scanning, exploit generation, and credential brute-forcing. For IABs, AI can provide an unprecedented ability to identify and exploit weaknesses across vast numbers of targets simultaneously, reducing the manual effort required and increasing the success rate of their operations. This development signals a critical evolution in cyber warfare, where readily available AI tools empower even financially motivated groups to conduct operations that might otherwise require state-sponsored resources.
Broad Targeting and Strategic Focus
The FortiBleed campaign is not merely a random attack; it demonstrates a strategic focus on specific organizational profiles and geographical regions. SOCRadar’s analysis indicates a "heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees." This targeting choice is particularly concerning given that SMBs often possess fewer cybersecurity resources and dedicated IT staff compared to larger enterprises, making them more vulnerable to sophisticated attacks. The campaign’s global reach, with a notable emphasis on the United States and India, highlights the widespread nature of the threat.
Furthermore, the IT services sector appears to be a prime target for the FortiBleed operators. This choice is highly strategic, as compromising IT service providers offers a lucrative avenue for downstream access. By infiltrating an IT services firm, the threat actors can potentially gain access to multiple client environments, creating a ripple effect across supply chains. This allows the IAB to maximize the value of their initial access, selling access to numerous organizations through a single point of entry. This supply chain attack vector amplifies the potential damage and complicates defense efforts for end-user organizations.
A Multi-Vendor Initial Access Operation
Perhaps the most significant revelation from the ongoing investigation is that FortiBleed is not an isolated incident focused solely on Fortinet devices. Instead, it is understood to be part of a much broader, multi-vendor initial access operation. Since February 28, 2026, the same threat actors have systematically targeted a diverse range of internet-facing appliances using automated brute-forcing techniques. Beyond FortiGate firewalls, their targets include:
- Synology NAS devices: Network-attached storage solutions, often containing critical business data.
- Sophos firewalls: Another leading vendor of network security appliances.
- RDWeb portals: Remote Desktop Web Access portals, providing entry points to internal networks.
- Citrix SSL-VPNs: Virtual Private Network solutions crucial for remote access.
- MS-SQL servers: Database servers often holding sensitive corporate information.
This multi-vendor approach demonstrates the opportunistic and expansive nature of the IAB’s activities. Rather than specializing in a single vulnerability or vendor, they employ a "spray-and-pray" methodology combined with targeted exploitation of widely exposed services. This strategy maximizes their chances of gaining initial access across a broad spectrum of organizations and technologies, further enriching their inventory of compromised credentials and network access for sale on underground forums.
The Scale of Compromise
The sheer scale of the FortiBleed operation is staggering. Attackers are estimated to have launched no less than 659 credential-harvesting pipelines during peak activity periods on May 31 and June 15, 2026. These intensive operations resulted in the identification of over 110 million credentials, an enormous trove of authentication data that could fuel numerous subsequent cyberattacks. While the specific breakdown of these credentials across different target types (FortiGate, Synology, Sophos, etc.) was not detailed, the aggregate number underscores the severe and widespread impact of this campaign.
This massive collection of credentials represents a significant threat landscape shift. Even if a small percentage of these credentials are valid and grant access, the potential for widespread breaches is immense. The threat actors’ ability to rapidly crack, validate, and reuse these credentials means that organizations face an immediate and persistent danger once their data is exfiltrated.
Operational Sophistication and Actor Profile
The IAB behind FortiBleed exhibits a high degree of operational sophistication and meticulous planning. SOCRadar highlights that "The group does not treat all targets equally. Instead, targets are ranked according to economic value before exploitation resources are allocated." This strategic prioritization indicates a calculated approach to maximizing financial returns, focusing their efforts on organizations or access points that promise the highest payoff for future sales.
Further insights into their operational security (OpSec) reveal deliberate measures to evade detection. The sniffing mechanism employed by the FortigateSniffer includes a geofencing filter, restricting operations to specific IP ranges. Additionally, activity is limited to between 7 a.m. and 6 p.m. Moscow Time, suggesting an attempt to blend in with legitimate network traffic patterns or align with the working hours of the threat actors themselves.
Data captured by SpyCloud indicates that the FortiGate-related capture cycle commenced on May 19, 2026, with the hash cracking infrastructure being established towards the end of that month. Zenox, a Brazilian cybersecurity company, further elaborated on the operational rhythm, stating, "The operation runs in a pipeline of 300-minute (five-hour) cycles, with status every minute." During these cycles, regional target lists are loaded and validated with 1,000 simultaneous threads, displaying real-time counters for success, failure, timeout, and warning. Intriguingly, initial cycles showed a successful validation rate hovering near 90%, indicative of effective targeting and brute-forcing techniques.
A particularly concerning finding from Zenox is the discovery of certain username and password pairs being repeated across thousands of distinct IP addresses. This raises the alarming possibility that these accounts may have been deliberately planted by the attackers as clandestine backdoor entry points, ensuring persistent access even if original compromised credentials are changed.
Chronology of the FortiBleed Campaign
The timeline of the FortiBleed operation illustrates its sustained and evolving nature:
- Early 2026: Prior to the FortiBleed campaign, Amazon Threat Intelligence exposed other AI-assisted mass scanning campaigns targeting FortiGate devices, some of which reportedly utilized the CyberStrikeAI framework. This sets a precedent for the use of AI in similar attacks.
- February 2026: The FortiBleed campaign officially commences, initially focusing on FortiGate firewalls with credential harvesting and brute-forcing.
- February 28, 2026: The operation expands significantly, transforming into a broader multi-vendor initial access campaign, incorporating automated brute-forcing against Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers.
- May 19, 2026: Specific FortiGate-related capture cycles are initiated, signaling intensified efforts against these devices.
- Late May 2026: The hash cracking infrastructure becomes fully operational, enabling the rapid processing and validation of stolen credentials.
- May 31 and June 15, 2026: The campaign reaches its peak activity, with the launch of 659 credential-harvesting pipelines, leading to the identification of over 110 million credentials.
- June 2026: SOCRadar and SpyCloud publish their detailed reports, bringing the FortiBleed operation to public attention and providing critical insights into the threat actor’s tactics, techniques, and procedures (TTPs).
Potential Market for Compromised Access
The financial motive behind FortiBleed is underscored by recent activities on underground forums. A Russian-speaking account named "SantaAd" has reportedly advertised access to thousands of Fortinet devices, initially listing them for $30,000, and then rapidly increasing the price to $60,000 within hours. While the direct connection between "SantaAd" and the FortiBleed operation remains unconfirmed by researchers, this development highlights the lucrative market for initial access to corporate networks, especially those secured by widely deployed devices like Fortinet firewalls. The high asking price reflects the perceived value of such access to other cybercriminal groups, who might use it for ransomware deployment, data exfiltration, or other financially motivated attacks.
Broader Implications and Recommendations
The FortiBleed campaign carries significant implications for cybersecurity worldwide. The disproportionate targeting of SMBs, coupled with the focus on IT service providers, creates a cascading risk that can affect numerous downstream clients. This emphasizes the critical need for robust security measures across the entire supply chain, as a weakness in one link can compromise many others.
The use of AI-native offensive security platforms marks a concerning evolution, making sophisticated attacks more accessible and scalable for threat actors. Organizations must anticipate and defend against these advanced techniques by integrating AI-driven defenses and staying abreast of the latest threat intelligence.
In response to such widespread credential harvesting, cybersecurity agencies and vendors are likely to reiterate fundamental security best practices. Fortinet, for its part, would typically advise its customers to:
- Patch and Update Promptly: Ensure all FortiGate devices and other network appliances are running the latest firmware and security patches to address known vulnerabilities.
- Implement Strong Authentication: Enforce multi-factor authentication (MFA) for all administrative interfaces and user accounts, as this significantly mitigates the risk of brute-force and credential stuffing attacks.
- Use Unique, Complex Passwords: Prohibit the reuse of passwords across different services and enforce the use of strong, unique passwords for all accounts.
- Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within a compromised network.
- Monitor Logs and Traffic: Actively monitor network traffic and system logs for unusual activity, failed login attempts, and unauthorized access patterns.
- Incident Response Planning: Develop and regularly test comprehensive incident response plans to rapidly detect, contain, and remediate breaches.
The Cybersecurity and Infrastructure Security Agency (CISA) has previously issued warnings regarding Fortinet vulnerabilities and would likely reiterate these recommendations, especially for critical infrastructure organizations and federal agencies. The discovery of potential attacker-planted backdoors also underscores the importance of thorough forensic analysis following any suspected breach, not just remediation of initial compromise points.
The FortiBleed campaign serves as a stark reminder of the persistent and evolving threat posed by financially motivated cybercriminals. As these actors leverage increasingly sophisticated tools and strategies, proactive defense, continuous vigilance, and adherence to robust cybersecurity hygiene remain paramount for all organizations, regardless of size or sector.
