Researchers say a sweeping hacking campaign targeting devices made by Fortinet has led to compromises across the internet, with evidence of password theft at Fortune 500 companies and government agencies in more than 15 countries.
-
A large-scale hacking campaign targeting Fortinet firewall and VPN devices has reportedly compromised organisations worldwide, including government agencies and Fortune 500 companies.
-
Researchers say up to 75,000 devices may have been affected, with evidence of stolen credentials and potential intrusions across more than 15 countries, including the US, India and Taiwan.
-
Security firm Hudson Rock described the operation as “staggering,” warning that the breach could allow attackers to move deeper into corporate and government networks.
-
Fortinet says the activity appears linked to password guessing and reused credentials from previous incidents, and insists it is not related to any new vulnerability or recent product flaw.
Most of the affected devices were in the United States, India, and Taiwan, according to Hudson Rock, a firm that tracks cybercrime. Hudson Rock described the scale of the spy campaign as "staggering."
"The scale of this breach touches nearly every sector of the global economy, sparing no industry," it said in a blog post published on Wednesday. The firm said that some 75,000 Fortinet firewall and VPN devices - tools that companies use to protect their networks and allow employees to log in remotely - had been compromised, potentially allowing the hackers to penetrate deeper into these organizations and steal data.
In a statement, Fortinet said it was aware of a campaign to steal login credentials from its firewall and VPN devices.
The company said that hackers were drawing on data "from previous incidents" and guessing passwords repeatedly - a technique known as "bruteforcing" to break into target networks or devices.
Fortinet said the malicious cyber activity was "not related to any recent incident or advisory." The company did not immediately respond to questions about the scope of the campaign uncovered by researchers, and Reuters could not establish how many password thefts led to intrusions at the affected companies.
Officials at the US cyber defense agency CISA, the FBI, and the Office of the National Cyber Director did not immediately return emails. Cybersecurity officials in India and Taiwan did not immediately return emails.
Agencies in the states of Washington and Nevada whose credentials were captured in the data did not immediately respond to a request for comment. A staffer at one agency in South Carolina told Reuters they were unaware of the situation, while another employee said they would look into it before providing any additional information.
Nearly 120 distinct credentials across five government entities in Puerto Rico were among those swept up in the campaign, according to cybersecurity research firm Hudson Rock. A spokesperson for the Puerto Rico Police Department, which was included in the list, referred questions to the Puerto Rico Innovation and Technology Service. A spokesperson for the office did not immediately respond to a request for comment.
Bob Diachenko, a security researcher and owner of cybersecurity company Securitydiscovery.com, discovered the data in an open server as part of his normal monitoring work, he said in an interview.
"This is quite significant," he said, adding the campaign showed a "very creative approach to bruteforcing, with a multilayer password cracking architecture."
Diachenko said scripts discovered in the data included Russian-language instructions, suggesting the campaign may be the work of a Russian cybercrime group.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked