Pro-Russian hacktivist OT intrusion at five Polish water treatment facilities — pump settings modified

UPDATE (originally covered 2026-06-18; last delta 2026-06-23): SOCRadar's full "Dismantling FortiBleed" report sharply revises the campaign's scale and attribution: it documents >430,000 FortiGate firewalls targeted and >110 million credentials harvested across 650+ collection pipelines, and attributes the operation to a likely Russian-speaking initial-access broker running financially-motivated activity (SecurityWeek, 2026-06-23; The Hacker News, 2026-06-23). The prior figure of 86,644 confirmed-compromised devices was the device count; the new numbers are the broader targeting and credential-collection totals.

The material new development is the first named high-value victim: on 2026-06-15 the operators offline-cracked Kerberos hashes and exfiltrated DFS backup data from a NATO-aligned defence contractor, moving the campaign from undifferentiated credential harvesting into confirmed geopolitical-risk territory. SpyCloud's analysis of the same infrastructure found parallel credential-collection runs against Synology, Sophos and MSSQL estates (SpyCloud, 2026-06-19). The reported mechanism remains consistent with prior coverage — SSH brute-force seeding, the Golang FortigateSniffer capturing authentication traffic, and offline GPU cracking — with no new Fortinet CVE involved (one reverse-engineering write-up framed the access around an older path-traversal CVE; that mechanism is not corroborated by the SOCRadar reporting and is not asserted here — see § 7).

Defender action for EU/CH FortiGate operators is unchanged but reinforced: assume any credential that transited an exposed FortiGate during the campaign window is burned, and — because the operators pivot to Kerberos/AD — run a retrospective hunt for Kerberoasting (T1558.003, EID 4769 anomalies on service accounts) and replication-style access (EID 4662) in the days after your device's exposure, and enforce credential non-reuse between appliance and domain accounts.

If you did nothing this week: any internet-facing FortiGate whose admin or SSL VPN credentials are in the "FortiBleed" corpus is a live initial-access foothold right now — patch level is irrelevant, because the leaked credential is the weapon, and the operator is already pivoting from validated VPN logins into internal Active Directory.

The FortiBleed dataset surfaced on 2026-06-17 as 73,932 unique FortiGate management URLs (~75,000 devices across 194 countries) paired with valid VPN and administrative credentials (BleepingComputer, 2026-06-17; daily 06-18). By 2026-06-19 the verified count had grown to 86,644 confirmed working credentials and CISA had issued an emergency hardening advisory (SecurityWeek, 2026-06-19; daily 06-20). Fortinet's PSIRT confirmed the campaign ties to previously disclosed incidents (FG-IR-26-060 / FG-IR-25-647) and that the credentials originated from exported device configurations — its position is that this is not a new CVE, the corpus being a reshare of prior-incident data combined with large-scale brute-forcing (Fortinet PSIRT, 2026-06-19) — but that distinction is cold comfort operationally: the credentials validate. The methodology that emerged this week is the load-bearing detail. A Russian-speaking actor intercepts SSL VPN authentication, cracks the captured hashes on a 45-GPU Hashtopolis cluster, and then uses the recovered service and admin accounts to move laterally into internal Active Directory (T1078 valid accounts following T1110 credential cracking).

The escalation that makes this § 1 rather than a routine credential-leak note is the AD pivot plus CISA's mandated response: terminate all SSL VPN sessions, reset every credential, migrate admin-hash storage from the older MD5-crypt scheme to PBKDF2, and enforce phishing-resistant MFA on all remote access. FortiGate is ubiquitous on Swiss and EU public-sector and telco perimeters, so treat any exposed device's local admin and VPN secrets as potentially in the corpus regardless of firmware version. Hunt for sequential VPN authentication failures from rotating residential IP ranges followed by a success and immediate internal RDP/SMB/LDAP reconnaissance, and cross-reference SSL VPN session logs against the Shadowserver notification feed.

UPDATE (originally covered 2026-06-19): Following ESET's 2026-06-19 documentation of the group's GentleKiller EDR-killer framework, The Gentlemen ransomware group has claimed an OT-adjacent attack on Mackay Sugar (Australia's second-largest sugar producer), which confirmed on 2026-06-18 that an external party accessed its IT environment around 10 June, halting milling at two of three mills (The Record, 2026-06-18).

Separately, KrebsOnSecurity reported OSINT attribution identifying the group's administrator — operating as "Hastalamuerte" / "Zeta88" — as Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia, cross-matched across ProtonMail addresses, Telegram IDs and Russian breach corpora (KrebsOnSecurity, 2026-06-10). Krebs reports the administrator uses AI tooling to develop ransomware and assist post-exploitation. The attribution is Krebs's analytical claim, not a confirmed indictment; for defenders the operational signal remains the group's 90%-affiliate RaaS model and its BYOVD EDR-kill tradecraft documented on 2026-06-19.

A dataset branded "FortiBleed" surfaced on 2026-06-17 containing 73,932 unique FortiGate management URLs — roughly 75,000 devices across 194 countries and 21,632 domains — paired with valid VPN and administrative credentials (BleepingComputer, 2026-06-17). Fortinet's position is that this is not a new vulnerability: the corpus is a reshare of data from previous incidents combined with large-scale brute-forcing, and the credentials were validated as working. Per BleepingComputer, a Russian-speaking actor is performing systematic credential validation, offline password cracking and onward lateral movement into Active Directory at fully-compromised organisations in several countries (BleepingComputer, 2026-06-17); Arctic Wolf is separately tracking the FortiBleed campaign's reach across 194 countries (Arctic Wolf, 2026-06-17). The technique class is valid-account abuse (T1078) following credential access, not exploitation of a fresh CVE.

Why it matters to us: FortiGate is ubiquitous on Swiss and EU public-sector perimeters. Treat any internet-exposed FortiGate's local admin and VPN credentials as potentially in the corpus regardless of patch level — patching does not rotate an already-leaked credential. Force admin and VPN password resets, enforce MFA on all administrative and VPN logins, restrict the management interface off the WAN, and review FortiGate admin-login audit events and downstream domain-controller authentication (Windows EID 4624/4768) for logins from unexpected source addresses.

Sekoia's first part of the Gamaredon series disclosed a January 2026 campaign arc (Sekoia TDR, 2026-06-01; daily 2026-06-02; update daily 2026-06-03). Initial access via CVE-2025-8088 (WinRAR path-traversal, widely unpatched) drops HTA payloads from xHTML attachments. GammaWorm's NTFS-ADS concealment and USB-propagation pattern is the signature detection challenge: filesystem timestamps are useless (ADS hides the worm content), and the worm spreads to any mounted drive and mapped share, meaning air-gap-adjacent workstations remain in scope. GammaSteel exfiltrates collected data directly to S3. Part two of the Sekoia series is outstanding and expected to detail further tooling. Open question: has the campaign reached any EU public-sector estate beyond its primary Ukrainian targets? The USB-propagation vector is exactly the mechanism Luna Moth used this week for physical office intrusion — conceptually distinct actors, coincidentally parallel technique.

Poland's Internal Security Agency (ABW) disclosed that pro-Russian hacktivist actors penetrated the operational technology (OT) networks of five water treatment facilities and modified pump control parameters. At least one facility activated manual override procedures to prevent potential service disruption; no compromise of drinking water quality or supply loss was confirmed. ABW attributed the activity to actors operating in support of Russian geopolitical objectives but stopped short of formal state attribution. The attack pattern — IT/OT flat network exploitation leading to HMI manipulation — is consistent with prior campaigns attributed to NoName057(16) and Cyber Army of Russia Reborn in Central and Eastern European infrastructure. Polish water sector authorities and critical-infrastructure operators have been placed on heightened alert. The ABW advisory is a single-source national CERT/authority disclosure.