Security researchers have uncovered an unprecedented cyber espionage campaign that has silently compromised over 73,932 unique Fortinet firewall URLs across 194 countries. Dubbed FortiBleed, the operation was first uncovered by security researcher Volodymyr “Bob” Diachenko and subsequently analyzed in depth by Hudson Rock. What has emerged is a highly automated, industrial-scale attack targeting FortiGate devices and SSL VPN gateways at a scope that touches virtually every sector of the global economy.
The Scale of the Operation
The numbers behind FortiBleed are staggering. Threat actors executed an estimated 1.16 billion credential-based attempts against over 320,000 FortiGate targets. Simultaneously, they launched an additional 2.1 billion brute-force attempts against more than 160,000 MSSQL servers, resulting in 21,632 unique compromised domains. The campaign spans every continent and affects organizations from Fortune 500 multinationals to critical infrastructure providers and government agencies.
Confirmed victims include technology and manufacturing giants such as Foxconn, Samsung, Siemens, Lenovo, and Oracle; professional services firms including PwC and Accenture; telecommunications providers such as Comcast; and thousands of government entities. Most critically, the operation successfully exfiltrated classified defense documents from a Turkish NATO defense contractor.
How the Attack Works
The methodology employed by this multi-operator, Russian-speaking cybercriminal group goes far beyond simple credential stuffing. The campaign follows a precise and highly efficient attack chain. In the first phase, attackers systematically test exposed Fortinet instances against vast repositories of plaintext credentials previously harvested by infostealer malware — credentials collected from endpoint compromises across years of infostealer campaigns. In the second phase, one of the campaign’s most alarming technical vectors involves the active interception of SSL VPN authentication hashes, which are subsequently cracked offline using a dedicated 45-GPU cluster managed via Hashtopolis software. This means even organizations that believe encrypted credentials are safe are directly exposed.
Once an initial foothold is established, attackers pivot directly into internal Active Directory environments in the third phase, enabling deep and persistent network access that survives routine security checks. In the fourth phase, operators then monitor traversing traffic to harvest additional credentials from passing authentication flows, creating a self-reinforcing cycle of unauthorized access.
Why Strong Passwords Offered No Protection
Perhaps the most sobering finding from the FortiBleed dataset is that password complexity was completely irrelevant to attackers’ success. A significant volume of highly complex, 20-character passwords was successfully compromised — not by cracking them from scratch, but because they already existed in plaintext within previously harvested infostealer databases. When credentials are stolen at the endpoint level before encryption is applied, no amount of complexity saves them. This finding fundamentally undermines the “strong password policy” as a perimeter defense strategy.
The implication for enterprise security is profound: perimeter access control must assume credential compromise as a baseline condition, not an exception. Organizations cannot rely on password strength policies when the credentials may already exist in attacker databases from prior infostealer infections across the global workforce.
Hudson Rock Launches Ethical Disclosure Portal
In response to the scale of the compromise, Hudson Rock launched a specialized online portal allowing organizations to verify whether their domains are included in the FortiBleed database. This ethical disclosure mechanism enables security teams to quickly assess exposure without needing direct access to the full dataset. CISA has separately issued hardening guidance for Fortinet devices in the wake of FortiBleed, directing federal civilian agencies and other affected organizations to prioritize remediation.
Immediate Mitigation Steps
Organizations running Fortinet devices must treat FortiBleed as a critical, active threat and take the following steps immediately. All Fortinet VPN and admin interface passwords must be reset without delay — complexity is irrelevant if credentials have already been exfiltrated via infostealer malware. Multi-Factor Authentication must be applied across all external gateways to neutralize the impact of stolen plaintext credentials. Gateway logs should be reviewed for anomalous login locations, unexpected admin sessions, or unusual traffic volumes that may indicate prior compromise. Admin panel access should be restricted to trusted internal IPs only via local-in policies, and FortiCloud SSO should be disabled if not strictly required. Given the campaign’s Active Directory pivot tactics, organizations should also conduct internal threat hunting for lateral movement indicators, unauthorized domain admin account creation, or unusual service account activity. The FortiBleed campaign is a stark reminder that in a world saturated with infostealer-harvested data, the perimeter has never been more fragile.