What Happened
New analysis published June 23, 2026 reveals the full technical scope of the FortiBleed credential harvesting campaign. Researchers found the attackers deployed a custom Golang-based tool called FortigateSniffer that abuses FortiOS’s built-in diagnose sniffer packet functionality — a legitimate diagnostic feature — to passively intercept authentication traffic passing through compromised FortiGate devices.
The sniffer operates across 24 protocols simultaneously, capturing Kerberos tickets, NTLM hashes, RADIUS credentials, LDAP bind credentials, RDP sessions, and MSSQL authentication — all without deploying additional malware or touching disk in ways that standard endpoint detection would flag. Researchers estimate the operation compromised more than 430,000 FortiGate firewalls across 194 countries, with over 110 million credentials harvested since at least February 2026. Confirmed victims include a NATO-aligned defence contractor.
Harvested hashes were cracked using a Hashtopolis-managed Hashcat GPU cluster augmented by dynamically rented GPU capacity from cloud providers, orchestrated through a dedicated Telegram bot. Tooling comments written in Cyrillic support attribution to Russian-speaking threat actors — consistent with earlier CISA and Fortinet advisories.
Why This Matters for Canadian Organizations
Fortinet FortiGate appliances are among the most widely deployed perimeter security devices in Canadian enterprise, government, healthcare, and telecommunications environments. Any organization running an unpatched or credential-exposed FortiGate is a potential node in this harvesting pipeline — and the passive nature of the sniffer means the attack leaves minimal log evidence. Credentials captured include domain hashes used across Active Directory environments, meaning a single compromised firewall can yield the keys to an entire corporate network.
The confirmation of a NATO-aligned defence contractor in the victim set raises the threat level for Canadian defence suppliers, federal departments, and Crown corporations. Under OSFI B-13, financial institutions with Fortinet perimeter devices face an obligation to assess whether their systems were included in the 430,000+ compromised devices. Canadian Security Establishment (CSE) and CCCS have previously warned of Russian state-affiliated targeting of Canadian critical infrastructure — this campaign fits that pattern directly.
The scale of credential exposure also creates downstream risk. Cracked NTLM and Kerberos hashes from Canadian organizations are now potentially circulating in criminal markets, making password spraying and pass-the-hash attacks against Canadian enterprise networks more probable in the weeks ahead.
What to Do
Organizations should immediately verify whether any FortiGate appliances in their environment appear in the FortiBleed exposure lists published by Huntress and Arctic Wolf. All FortiGate administrative and VPN credentials must be rotated regardless of whether the device appears on those lists, as harvesting operated passively without leaving traces on the device itself. Enable multi-factor authentication on FortiGate management interfaces and SSL VPN gateways. Review FortiOS diagnostic sniffer command logs for unauthorized executions. Apply all available Fortinet patches and follow CISA and CCCS remediation guidance. Organizations with FortiGate devices connected to Active Directory should audit domain accounts for unusual authentication activity and consider a domain-wide credential rotation if exposure is suspected.
Source: BleepingComputer | Help Net Security
