Dismantling FortiBleed:
Inside a Russian Fortinet Compromise Operation
A single compromised FortiGate firewall can become a passive listening post for every credential crossing a victim’s network, turning legitimate diagnostic tooling into a large-scale credential-harvesting engine.
Dismantling FortiBleed investigates an active credential-harvesting operation identified by the SOCRadar Threat Research Unit (STRU). The report traces the campaign from large-scale reconnaissance and credential sourcing through initial access, passive sniffer deployment, offline hash cracking, and targeted exfiltration. STRU assesses the operator to be an Initial Access Broker (IAB) motivated by financial gain, with tooling comments in the Cyrillic alphabet pointing to a likely Russian origin. The investigation began with a single exposed directory flagged by researcher Volodymyr “Bob” Diachenko and expanded into more than 260 operation servers.
The report analyzes the complete five-stage attack chain: Masscan and Shodan reconnaissance, SSH brute-force against FortiGate admin accounts, deployment of the Golang-based FortigateSniffer that abuses the FortiOS diagnose sniffer packet command across 24 protocols, distributed GPU cracking through Hashtopolis and Hashcat, and session-cookie replay for persistent access. It also documents the actor’s isolated offensive lab, rented vast.ai GPU capacity, hosting across Russian and Ukrainian networks, victimology, MITRE ATT&CK mapping, and a full set of Indicators of Compromise.
Researchers who would rather skip the form, or are unable to use it, can also email [email protected] and we will send the report over.
➡️ Download the full report to explore the tooling, infrastructure, attribution findings, and operational mechanics behind one of the largest FortiGate credential-harvesting operations observed by SOCRadar Threat Research.
Key Highlights:
- Full reconstruction of a credential-harvesting operation active since at least February 2026, targeting over 430,000 FortiGate firewalls
- Analysis of FortigateSniffer, a Golang tool that turns compromised firewalls into passive credential collectors across 24 authentication protocols
- Breakdown of the complete five-stage attack chain, from reconnaissance and brute-force to harvesting, cracking, and exfiltration
- More than 659 harvest cycles that exposed over 110 million credentials, including RADIUS, NTLM, and Kerberos material
- Examination of the actor’s offensive infrastructure: an isolated Kali VM lab, Hashtopolis and Hashcat GPU clusters, vast.ai rented capacity, and CyberStrike automation
- Confirmed breach and DFS data exfiltration from a NATO-aligned defense contractor
- Victimology analysis covering revenue, employee count, geography, and sector, with IT services and SMBs under 200 employees as the dominant victim profile
- Indicators of Compromise (IoCs) and defensive recommendations for security teams
This report is designed for threat intelligence analysts, SOC teams, incident responders, threat hunters, and security leaders seeking to understand how attackers weaponize trusted network appliances for large-scale credential theft.
