The FortigateSniffer tool has compromised 430,000 FortiGate firewalls and collected 110 million sets of login credentials. Find out if your organization is at risk and what to do.
Researchers from the SOCRadar Threat Research Unit (STRU) have documented a campaign called FortiBleed — a systematic operation by a financially motivated attacker who, from February through mid-June 2026, continuously harvested login credentials from compromised FortiGate devices around the world.
The attacker is assessed as an Initial Access Broker (IAB)—an entity that resells the access it gains to other groups, including ransomware operators. Cyrillic comments in the tool’s code suggest a possible Russian origin, with potential ties to state-sponsored groups.
CISA has issued an urgent alert regarding this threat and urges organizations to secure their Fortinet devices immediately.
How the Attack Worked
The attacker developed a custom tool called FortigateSniffer (also tracked as fg_sniffer)—a program written in Golang, available for both Linux and Windows, with an interface entirely in Russian. Instead of deploying traditional malware, the tool exploited FortiOS’s built-in diagnostic feature to passively capture all authentication traffic passing through the compromised firewall.
The operation unfolded in five phases:
- Phase 1 — Reconnaissance: The attackers used Masscan and Shodan to identify FortiGate devices and rank them based on the target organization’s revenue—the attack was economically calculated from the outset, not random
- Phase 2 — Gaining Access: Brute-force attacks on SSH and credential stuffing on SSL-VPN portals using 16 specialized dictionaries
- Phase 3 — Deploying a Sniffer: FortigateSniffer was installed on each compromised device, passively capturing traffic across 24 protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, and SMB
- Phase 4 — Cracking and lateral movement: The captured hashes were cracked using a GPU cluster (Hashcat + Hashtopolis), with the results delivered via a Telegram bot. The attackers then moved laterally through the Active Directory environment
- Phase 5 — Exfiltration: Entire DFS shared storage repositories were streamed directly to the attackers’ servers. On June 15, 2026, a targeted exfiltration was carried out from a NATO-affiliated defense contractor
Who Is Affected
The scope of the campaign is extraordinary—23,406 unique domains across 80,553 FortiGate devices. Geographically, India (11.4%) and the U.S. (10.1%) are the most affected, but organizations around the world, including in Europe, have been impacted.
Key finding: 66% of victims have fewer than 200 employees. The attackers specifically targeted organizations large enough to run FortiGate but typically without a dedicated security team. IT service providers account for 8.4% of the victims—which gives attackers access to their customers’ environments.
As of mid-June 2026, the campaign was still partially active.
What to Do
If your organization operates FortiGate devices, we recommend taking the following steps immediately:
- Change all login credentials for FortiGate devices—both SSH and SSLVPN
- Update FortiOS to the latest available version and apply all security patches
- Check the logs for any unusual diagnostic activity or unknown processes
- Restrict SSH access to the management interface to trusted IP addresses only
- Audit Active Directory—check for new accounts, permission changes, and unusual logins
- Contact your security partner if you suspect a compromise—time is of the essence
