A large-scale cyber espionage operation targeting devices manufactured by Fortinet has resulted in widespread security compromises worldwide, according to cybersecurity researchers. The campaign is believed to have affected organizations across more than 15 countries, with evidence indicating stolen credentials from Fortune 500 companies and government institutions.
Cybercrime intelligence firm Hudson Rock reported that the majority of impacted devices were located in the United States, India and Taiwan. The company characterized the extent of the operation as "staggering."
"The scale of this breach touches nearly every sector of the global economy, sparing no industry," the firm stated in a blog post published on Wednesday.
Researchers estimate that approximately 75,000 Fortinet firewall and VPN devices were compromised during the operation. These systems are commonly used by organizations to secure networks and provide remote access for employees. The breach could potentially allow threat actors to gain deeper access into affected networks and extract sensitive information.
In response, Fortinet acknowledged awareness of an ongoing effort aimed at stealing login credentials from its firewall and VPN products.
The company explained that attackers were leveraging information obtained "from previous incidents" and using repeated password-guessing attempts — a method known as bruteforcing — to gain unauthorized access to targeted devices and networks.
Fortinet further clarified that the malicious activity was "not related to any recent incident or advisory." The company did not provide additional details regarding the overall scale of the campaign identified by researchers. Reuters was also unable to determine how many of the stolen credentials ultimately resulted in successful network intrusions.
Officials from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Office of the National Cyber Director did not immediately respond to requests for comment. Cybersecurity authorities in India and Taiwan also did not provide immediate responses.
Several state agencies in Washington and Nevada, whose credentials reportedly appeared in the compromised data, likewise did not respond to inquiries. In South Carolina, one agency employee told Reuters they were unaware of the issue, while another indicated the matter would be reviewed before further information could be shared.
Hudson Rock's findings also revealed that nearly 120 unique credentials linked to five government entities in Puerto Rico were included in the exposed dataset. Among the affected organizations was the Puerto Rico Police Department. A department spokesperson redirected questions to the Puerto Rico Innovation and Technology Service, which did not immediately respond to requests for comment.
The exposed data was first identified by cybersecurity researcher Bob Diachenko, owner of SecurityDiscovery.com, who said he uncovered the information on an unsecured server during routine monitoring activities.
"This is quite significant," Diachenko said, adding the campaign showed a "very creative approach to bruteforcing, with a multilayer password cracking architecture."
According to Diachenko, scripts found within the dataset contained instructions written in Russian, indicating that the operation may be linked to a Russian cybercrime group.
