Attackers actively are targeting various sectors across nearly 200 countries and have already compiled a list of working credentials for tens of thousands of compromised devices
June 17, 2026
A large-scale cyber espionage and credential-harvesting operation is actively targeting Fortinet firewalls and VPN gateways, and has already compromised more than 30,000 Internet-facing devices across nearly 200 countries.
Researchers from SOCRadar discovered the campaign, which they believe is the work of a Russian-speaking threat actors, when they found an exposed operational server belonging to attackers. This gave them visibility into the group's tooling, victim database, automation infrastructure, and verified credential repository, according to a report published Tuesday.
"The attacker’s database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries," according to the report. "These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock."
