Russian Initial Access Broker Behind FortiBleed Campaign
A Russian initial access broker is conducting the FortiBleed campaign targeting over 430,000 FortiGate firewalls worldwide. Since at least February 2026, the threat actor has used a custom sniffer tool to capture and crack over 110 million credentials, harvesting authentication traffic across multiple protocols. The campaign involves brute-force SSH attacks to compromise firewalls, followed by credential harvesting and lateral movement within networks. The operation affects multiple sectors and regions, with emphasis on the United States and India, and has targeted supply chains including MSPs and IT service firms. The threat actor may collaborate with Russian state-sponsored groups or sell access to ransomware gangs. No official patch or remediation guidance is provided in the source data.
AI Analysis
Technical Summary
The FortiBleed campaign is a credential-harvesting operation led by a Russian-speaking initial access broker targeting FortiGate firewalls and other vendors' devices. The attacker uses tools like Masscan and Shodan to identify vulnerable devices, then performs SSH brute-force attacks to deploy a custom Golang sniffer (FortigateSniffer) that captures authentication traffic across 24 protocols. The captured credentials and password hashes are cracked offline and used for lateral movement and persistent access within compromised environments. The campaign has compromised over 110 million credentials since February 2026, affecting more than 430,000 FortiGate firewalls globally. The operation targets SMBs and supply chains, including MSPs, and has resulted in the exfiltration of sensitive data from high-profile targets such as a NATO-aligned defense contractor. The campaign is financially motivated and may have ties to Russian state-sponsored groups or ransomware gangs. No vendor advisory or patch information is available in the provided data.
Potential Impact
The campaign compromises network edge firewalls, exposing entire organizational identity layers and enabling lateral movement within networks. Over 110 million credentials have been captured and cracked, leading to unauthorized access to Active Directory domains, network shares, and persistent footholds in victim environments. The operation affects a large number of FortiGate firewalls worldwide, including those managed by MSPs, increasing the risk to supply chains. The compromise of a NATO-aligned defense contractor indicates potential national security implications. The campaign targets multiple sectors and regions, with notable focus on the United States and India.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for unusual SSH login attempts and unauthorized use of FortiOS diagnostic commands. Given the lack of official vendor guidance in the source data, it is recommended to follow Fortinet's official communications and security advisories for updates. Network defenders should consider restricting SSH access to FortiGate devices, implementing multi-factor authentication where possible, and reviewing firewall logs for signs of compromise related to this campaign.
Russian Initial Access Broker Behind FortiBleed Campaign
Description
A Russian initial access broker is conducting the FortiBleed campaign targeting over 430,000 FortiGate firewalls worldwide. Since at least February 2026, the threat actor has used a custom sniffer tool to capture and crack over 110 million credentials, harvesting authentication traffic across multiple protocols. The campaign involves brute-force SSH attacks to compromise firewalls, followed by credential harvesting and lateral movement within networks. The operation affects multiple sectors and regions, with emphasis on the United States and India, and has targeted supply chains including MSPs and IT service firms. The threat actor may collaborate with Russian state-sponsored groups or sell access to ransomware gangs. No official patch or remediation guidance is provided in the source data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The FortiBleed campaign is a credential-harvesting operation led by a Russian-speaking initial access broker targeting FortiGate firewalls and other vendors' devices. The attacker uses tools like Masscan and Shodan to identify vulnerable devices, then performs SSH brute-force attacks to deploy a custom Golang sniffer (FortigateSniffer) that captures authentication traffic across 24 protocols. The captured credentials and password hashes are cracked offline and used for lateral movement and persistent access within compromised environments. The campaign has compromised over 110 million credentials since February 2026, affecting more than 430,000 FortiGate firewalls globally. The operation targets SMBs and supply chains, including MSPs, and has resulted in the exfiltration of sensitive data from high-profile targets such as a NATO-aligned defense contractor. The campaign is financially motivated and may have ties to Russian state-sponsored groups or ransomware gangs. No vendor advisory or patch information is available in the provided data.
Potential Impact
The campaign compromises network edge firewalls, exposing entire organizational identity layers and enabling lateral movement within networks. Over 110 million credentials have been captured and cracked, leading to unauthorized access to Active Directory domains, network shares, and persistent footholds in victim environments. The operation affects a large number of FortiGate firewalls worldwide, including those managed by MSPs, increasing the risk to supply chains. The compromise of a NATO-aligned defense contractor indicates potential national security implications. The campaign targets multiple sectors and regions, with notable focus on the United States and India.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for unusual SSH login attempts and unauthorized use of FortiOS diagnostic commands. Given the lack of official vendor guidance in the source data, it is recommended to follow Fortinet's official communications and security advisories for updates. Network defenders should consider restricting SSH access to FortiGate devices, implementing multi-factor authentication where possible, and reviewing firewall logs for signs of compromise related to this campaign.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/russian-initial-access-broker-behind-fortibleed-campaign/","fetched":true,"fetchedAt":"2026-06-23T10:39:31.018Z","wordCount":1199}
Threat ID: 6a3a6263eed863c81ed34c8a
Added to database: 06/23/2026, 10:39:31 UTC
Last enriched: 06/23/2026, 10:39:43 UTC
Last updated: 06/23/2026, 12:28:08 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.