“Exploiting FortigateFirewalls: Hackers Transform Devices Into Password Harvesting Tools”

A financially driven adversary has utilized a custom tool based on Golang, named FortigateSniffer, across over 430,000 FortiGate firewalls worldwide, covertly collecting more than 110 million credentials since at least February 2026, including confirmed information exfiltration from a NATO-associated defense contractor.

The initiative, referred to as FortiBleed and examined by SOCRadar’s Threat Research Unit (STRU), represents one of the most extensive operations for credential collection targeting network perimeter devices ever recorded.

The threat actor, evaluated to be an Initial Access Broker (IAB) driven by monetary gain, operated steadily through mid-June 2026, executing 659 distinct harvesting cycles with infrastructure that remains partially operational at the time of this writing. The tooling, featuring comments in Cyrillic, suggests a potential Russian origin, with possible connections to ransomware groups or state-backed entities.

CISA has issued an urgent warning urging organizations to secure their Fortinet devices following notifications about large-scale credential exposure.

The primary weapon is FortigateSniffer (also recognized as fg_sniffer), a Golang-based tool compiled for Linux (fg_sniffer_linux_amd64) and Windows (fg_sniffer_windows_amd64.exe). Its complete interface is presented in Russian.

Instead of launching malware, the tool takes advantage of FortiOS’s built-in diagnostic command diagnose sniffer packet to passively intercept all authentication traffic passing through a compromised firewall over 24 protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, MSSQL, FTP, Telnet, and WinRM.

After being captured, the unrefined SSH terminal output is transformed into .pcapng format by the SNIFTRAN engine, subsequently processed through a PCAP Deep Analysis Toolkit (v5.0) which retrieves cleartext credentials, NTLMv2 hashes, Kerberos TGS/ASREP tickets, and session cookies.

The tool also includes two evasion strategies: GeoIP-based filtering (utilizing a binary-search-optimized ipgeo.csv) and business-hour scheduling, confining active sniffing to 07:00–18:00 Moscow Time to reduce alerts during off-peak hours.

The operation follows a systematic, five-phase process:

1. Phase 1 — Reconnaissance & Credential Sourcing: Attackers employed Masscan for extensive port scans, Shodan_Recon for passive enrichment through SSL/certificate metadata, and FortiProbe-fast to categorize targets into FortiGate/non-FortiGate/dead. Custom scripts (match_corps.py, merge_revenue.py, build_report.py) subsequently ranked targets by corporate revenue prior to any exploitation occurring — indicating intentional, value-driven targeting rather than random opportunism.
2. Phase 2 — Pairing & Initial Access: The tool gen_rotator produced host-credential Cartesian product combo files. These were input into mpbrute2.bin for SSH brute-force assaults on FortiGate admin accounts using 16 product-specific wordlists, and into forticheck (up to 25,000 threads) for SSLVPN portal credential stuffing.
3. Phase 3 — Sniffer Deployment & Harvesting: With valid SSH credentials, the attackers accessed each compromised FortiGate and implanted FortigateSniffer, transforming the device into a passive observer. 6,127 devices were loaded during tracked deployments, achieving a 90% SSH validation success rate. By the conclusion of the operation, ssh.txt contained 237,330 functional FortiGate SSH credentials.
4. Phase 4 — Cracking & Lateral Movement: Collected hashes (NTLM, Kerberos, RADIUS) were cracked using a Hashtopolis-managed Hashcat GPU cluster supplemented by dynamically rented capacity from vast.ai, orchestrated through a specialized Telegram bot that dynamically allocated one to six GPUs and provided real-time cracking telemetry. Tools for lateral movement, including spray_da.py, smb_test.py, spider.py, and ad_full_audit.py then navigated across Active Directory environments.
5. Phase 5 — Exfiltration: backup_dfs.py recursively extracted full DFS shares via SMB and streamed them straight to attacker SSH servers with no local staging. On June 15, 2026, after offline cracking of 172 Kerberos RC4 hashes, the attacker executed a targeted DFS backup exfiltration against a NATO-linked defense contractor.

Per SOCRadar’s Threat Research Unit, the campaign exposed 23,406 unique domains across 80,553 FortiGate devices. 66% of the targets employ fewer than 200 staff members, with the 51–200 employee category representing 42.3% of all impacted domains — organizations sufficiently large to utilize FortiGate yet typically lacking dedicated security operations.

IT services constitute the largest sector (8.4% of victims), a deliberate targeting strategy to enhance downstream access into client environments. India (11.4%) and the United States (10.1%) lead the geographical distribution, followed by Taiwan, Mexico, and Turkey.

Key IoCs

The campaign remains operational as of mid-June 2026, with sniffer activities and harvestresults directories still being updated.