Researchers say a sweeping hacking campaign targeting devices made by Fortinet has led to compromises across the internet, with evidence of password theft at Fortune 500 companies and government agencies in more than 15 countries.
Most of the affected devices were in the United States, India, and Taiwan, according to Hudson Rock, a firm that tracks cybercrime. Hudson Rock described the scale of the spy campaign as “staggering.”
“The scale of this breach touches nearly every sector of the global economy, sparing no industry,” it said in a blog post published on Wednesday. The firm said that some 75,000 Fortinet firewall and VPN devices – tools that companies use to protect their networks and allow employees to log in remotely – had been compromised, potentially allowing the hackers to penetrate deeper into these organizations and steal data.
In a statement, Fortinet said it was aware of a campaign to steal login credentials from its firewall and VPN devices.
The company said that hackers were drawing on data “from previous incidents” and guessing passwords repeatedly—a technique known as “bruteforcing” to break into target networks or devices.
Fortinet said the malicious cyber activity was “not related to any recent incident or advisory.” The company did not immediately respond to questions about the scope of the campaign uncovered by researchers, and Reuters could not establish how many password thefts led to intrusions at the affected companies.
Officials at the U.S. cyber defense agency CISA, the FBI, and the Office of the National Cyber Director did not immediately return emails. Cybersecurity officials in India and Taiwan did not immediately return emails.
Agencies in the states of Washington and Nevada whose credentials were captured in the data did not immediately respond to a request for comment. A staffer at one agency in South Carolina told Reuters they were unaware of the situation, while another employee said they would look into it before providing any additional information.
Nearly 120 distinct credentials across five government entities in Puerto Rico were among those swept up in the campaign, according to cybersecurity research firm Hudson Rock. A spokesperson for the Puerto Rico Police Department, which was included in the list, referred questions to the Puerto Rico Innovation and Technology Service. A spokesperson for the office did not immediately respond to a request for comment.
Bob Diachenko, a security researcher and owner of cybersecurity company Securitydiscovery.com, discovered the data in an open server as part of his normal monitoring work, he said in an interview.
“This is quite significant,” he said, adding the campaign showed a “very creative approach to bruteforcing, with a multilayer password cracking architecture.”
Diachenko said scripts discovered in the data included Russian-language instructions, suggesting the campaign may be the work of a Russian cybercrime group.
Topics
Cyber
Interested in Cyber?
Get automatic alerts for this topic.
