Massive Breach Exposes 74,000 Networks, From Oracle and Samsung to a NATO Contractor

A Russian-speaking criminal group has compromised 73,932 Fortinet firewall and virtual private network (VPN) devices across 194 countries in an ongoing campaign dubbed FortiBleed, with the exfiltration of classified documents from a Turkish NATO defense contractor drawing the most serious alarm.

Security researcher Bob Diachenko of SecurityDiscovery.com discovered the dataset on the attackers’ command-and-control (C2) server.

Hudson Rock, a cybersecurity firm that independently analyzed the data, confirmed the NATO contractor breach, while Diachenko noted the group achieved full network compromise across Japan, Taiwan, Vietnam, Iraq, and Turkey.

“Most alarmingly, this includes a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated by the group,” Hudson Rock said.

The campaign required no zero-day exploit. Attackers mass-scanned internet-facing FortiGate login endpoints, deployed a custom tool with 25,000 simultaneous threads to spray credential combinations, and cracked intercepted VPN authentication hashes on a 45-GPU cluster managed through Hashtopolis, a distributed hash-cracking platform.

Successful passwords fed back into a 12-level recursive system that generated new candidates, making the operation self-sustaining.

Once inside a device, the group used it as a network listening post, collecting additional credentials from passing traffic before pivoting to Microsoft Active Directory and Remote Authentication Dial-In User Service (RADIUS) authentication servers.

Independent researcher Kevin Beaumont confirmed the credentials are real and current after direct verification with affected organizations. SOCRadar’s telemetry has since raised the total to 86,644 compromised devices globally, affecting over 22,000 corporate domains. Named organizations in the dataset include Oracle, Chevron, Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture.

Fortinet spokesperson Tiffany Curci said the data represents “a resharing of data from previous incidents, as well as bruteforcing of credentials” and is “not related to any recent incident or advisory.” Researchers counter that many affected devices run recent firmware versions, pointing to an active and current campaign.

“The scale is the sophistication,” Diachenko said.