UPDATE: FortiBleed scale revised to 430K firewalls / 110M credentials; NATO-contractor exfiltration and a Russian-IAB attribution

UPDATE (originally covered 2026-06-18; last delta 2026-06-23): SOCRadar's full "Dismantling FortiBleed" report sharply revises the campaign's scale and attribution: it documents >430,000 FortiGate firewalls targeted and >110 million credentials harvested across 650+ collection pipelines, and attributes the operation to a likely Russian-speaking initial-access broker running financially-motivated activity (SecurityWeek, 2026-06-23; The Hacker News, 2026-06-23). The prior figure of 86,644 confirmed-compromised devices was the device count; the new numbers are the broader targeting and credential-collection totals.

The material new development is the first named high-value victim: on 2026-06-15 the operators offline-cracked Kerberos hashes and exfiltrated DFS backup data from a NATO-aligned defence contractor, moving the campaign from undifferentiated credential harvesting into confirmed geopolitical-risk territory. SpyCloud's analysis of the same infrastructure found parallel credential-collection runs against Synology, Sophos and MSSQL estates (SpyCloud, 2026-06-19). The reported mechanism remains consistent with prior coverage — SSH brute-force seeding, the Golang FortigateSniffer capturing authentication traffic, and offline GPU cracking — with no new Fortinet CVE involved (one reverse-engineering write-up framed the access around an older path-traversal CVE; that mechanism is not corroborated by the SOCRadar reporting and is not asserted here — see § 7).

Defender action for EU/CH FortiGate operators is unchanged but reinforced: assume any credential that transited an exposed FortiGate during the campaign window is burned, and — because the operators pivot to Kerberos/AD — run a retrospective hunt for Kerberoasting (T1558.003, EID 4769 anomalies on service accounts) and replication-style access (EID 4662) in the days after your device's exposure, and enforce credential non-reuse between appliance and domain accounts.