A large-scale cyber espionage and credential-harvesting operation is actively targeting Fortinet firewalls and VPN gateways, and has already compromised more than 30,000 Internet-facing devices across nearly 200 countries.
Researchers from SOCRadar discovered the campaign, which they believe is the work of a Russian-speaking threat actors, when they found an exposed operational server belonging to attackers. This gave them visibility into the group’s tooling, victim database, automation infrastructure, and verified credential repository, according to a report published Tuesday.
“The attacker’s database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries,” according to the report. “These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock.”
Take the Threat Seriously
SOCRadar emphasized that they did not find any evidence of exploitation of a Fortinet flaw in the operation and are considering it strictly as a credential-compromise campaign, one that should be taken seriously, according to the report.
The compromised devices so far comprise 21,108 unique IP addresses and 8,316 unique domains across government, telecommunications, healthcare, education, financial services, and critical infrastructure sectors, the researchers found. Among those, telecommunications accounted for over 5,600 compromised devices, while government organizations represented 591across 111 domains.
Enterprise organizations generating more than $1 billion in annual revenue comprised over 20% of affected devices, while India and the United States reportedly accounted for nearly one-third of all identified credential comprises, although affected organizations were found across Asia, Europe, the Americas, Africa, and the Middle East.
Targeting Security Weaknesses
Analysis found that the firewalls and VPNs compromised often demonstrated security weaknesses in the targeted network infrastructure, the researchers found. Many were either generic administrator accounts, default or built-in Fortinet system accounts, or long-lived accounts with passwords that had never been rotated after previous breaches, they said.
Given that the attack remains active and “Fortinet firewalls and VPN gateways are among the most widely deployed network security devices in the world,” the ongoing threat is rated as “critical” and demanding immediate response from affected organizations, SOCRadar noted in the report. Indeed, these devices are often in the crosshairs of attackers given their ubiquity and the entry into networks that they can provide.
“If your organization uses a Fortinet firewall or VPN product and appears in this dataset, treat your network perimeter as already compromised and act immediately,” according to SOCRadar.
Self-Sustaining Compromise Model
The operation is built around a self-sustaining, fully automated attack chain in which attackers scan the Internet for Fortinet devices and then employ credential reuse, credential stuffing, and password spraying against exposed Fortinet management and VPN interfaces. As part of this, attackers used previously leaked Fortinet credentials and continuously validated successful logins through this automated scanning infrastructure.
Once a device is compromised, attackers “use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by,” according to the report. The freshly collected passwords are then fed back into the scanner to compromise even more devices so that “the system feeds itself.”
Though the operation seems highly professional, the attackers did make a significant mistake in leaving a server exposed that “revealed far more about them than they intended,” including clues to their identities and motives, the report noted.
SOCRadar also determined that the attack seems consistent wih Russian-speaking threat actors, considering that the tooling, infrastructure choices, and victim selection was “heavily weighted toward organizations in NATO member countries,” according to the report. These attackers also appear to be motivated not only by financial gain but also potential cyberespionage, as credentials for what appears to be a defense industry VPN endpoint were among the recovered data, according to the post.
Immediate Mitigation Steps
The campaign demonstrates the scale at which attackers can successfully weaponized credential reuse and poor password hygiene, especially when they use automation as a core part of their attack strategy. The lesson here for defenders, then, is to understand that perimeter security appliances, espeically those from Fortinet, remain high-value targets, and must be secured with more care and attention.
As mentioned, any organization using Fortinet firewalls or VPNs should take immediate action to secure these assets, including the immediate rotation of all administrative and VPN credentials. They also should enable MFA on all remote-access and administrative accounts, according to SOCRadar.
Further defensive steps should be a review of all authentication and VPN logs for suspicious access; the removal of public exposure of management interfaces where possible; upgrading devices to all current firmware versions; and conducting the appropriate incident response investigation if a comprimse is found or suspected.

Comments are closed