Russian speaking criminals used a 45 GPU hash cracking operation to hijack admin passwords on roughly half of all internet facing FortiGate devices — including, allegedly, classified documents from a Turkish NATO defense contractor.
Russian-speaking criminals spent months cracking admin passwords on 75,000 corporate Fortinet firewalls using a 45-GPU password-cracking cluster, then used those credentials to silently burrow into company networks — including at least one NATO defense contractor from which classified documents were allegedly stolen, according to researchers.
The campaign, dubbed FortiBleed by researchers at Hudson Rock and Volodymyr "Bob" Diachenko, processed more than 1.16 billion credential attempts against 320,777 FortiGate targets and an additional 2.1 billion attempts against 163,650 MSSQL servers, according to Diachenko's analysis posted to LinkedIn. Diachenko LinkedIn post The result is a verified database of working credentials spanning 21,632 unique domains and 194 countries, the researchers said. Hudson Rock / Infostealer blog
The operation did not rely on a novel zero-day. "They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments," Diachenko wrote. The Register initial reporting The Hashtopolis framework is an open-source distributed password-cracking platform widely available to threat actors.
Compromised organizations include major enterprises: FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PwC, Accenture, Oracle, and others. The Register Lenovo confirmed it is looking into the report; the other named companies did not respond to The Register at time of publication.
At least four organizations were fully compromised, including the Turkish NATO defense contractor, where classified defense documents were allegedly exfiltrated. Diachenko / The Register The classified-document claim is attributed to Diachenko and has not been independently verified.
The scale of the breach becomes more alarming in context: the 75,000 compromised FortiGates represent roughly half of all internet-facing Fortinet firewalls, as measured by Shodan. Kevin Beaumont, DoublePulsar / Medium Security researcher Kevin Beaumont, who independently verified the credential data, noted that many of the compromised devices were running relatively recent firmware — suggesting that applying patches alone did not prevent this campaign.
"The scale of this breach touches nearly every sector of the global economy, sparing no industry," Hudson Rock said on its Infostealer blog. "The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet." Hudson Rock / Infostealer blog
Fortinet disputed the characterization. A company spokesperson told The Register that the incident reflects resharing of data from prior incidents combined with credential bruteforcing — not a new attack vector — and pointed to its March guidance recommending routine credential rotation. The Register
The dispute matters for how enterprises should weight vendor denials: if credential stuffing from infostealer logs still works at this scale after patches are applied, the question of whether the data is "fresh" is secondary to the question of whether management-plane exposure is adequately controlled.
The standard post-breach advice — rotate your passwords — is correct but incomplete in this case, because Fortinet's own guidance was already public before this campaign, and 75,000 devices were compromised anyway. Security researcher Kevin Beaumont's observation that many compromised devices ran recent firmware is load-bearing evidence that the structural risk lives in the management plane, not in a patch cycle. Beaumont DoublePulsar
Actionable steps for FortiGate administrators:
The FortiBleed campaign is not a singular event — it is a concrete instantiation of a repeating credential-theft pipeline: infostealer malware captures corporate credentials, those credentials are aggregated and sold, GPU clusters crack weak or reused passwords at scale, and exposed SSL VPN or admin interfaces provide the entry point. Patches do not break this chain.
This class of attack has been documented against corporate SSL VPNs broadly; FortiGate's history as a frequent target of SSL-VPN vulnerabilities (FortiOS SSL-VPN bugs have been exploited in the wild repeatedly) makes it a high-value target for this pipeline specifically.
Hudson Rock published a lookup page at hudsonrock.com/fortinet and a dedicated Infostealer.com write-up. Hudson Rock lookup
Researchers: Hudson Rock (infostealer telemetry), Volodymyr "Bob" Diachenko (data-leak researcher), Kevin Beaumont (independent security researcher, Medium/DoublePulsar). Vendor: Fortinet spokesperson statement. Device counts contextualized via Shodan.