FortiBleed Campaign: How Attackers Used a Custom Sniffer to Steal Fortinet Credentials at Scale
A sophisticated and far-reaching cyberattack campaign targeting Fortinet FortiGate firewall devices has come under intense scrutiny after security firm SOCRadar published a detailed analysis of the operation. Dubbed FortiBleed, the campaign leveraged specially crafted network sniffers to silently harvest authentication secrets and steal credentials from compromised firewalls across the globe. The findings paint a troubling picture of how threat actors are increasingly moving beyond simple exploitation toward persistent, intelligence-gathering tooling that is difficult to detect and disrupt.
What Is the FortiBleed Campaign?
The FortiBleed campaign is a large-scale cyberattack operation that specifically targets Fortinet FortiGate devices — a widely deployed line of next-generation firewalls used by enterprises, government agencies, and critical infrastructure providers around the world. Rather than simply gaining access and moving on, the attackers behind FortiBleed took a methodical approach designed to maximize the intelligence value of each compromised device.
According to SOCRadar's research, the campaign involved the deployment of custom-built sniffer tools on compromised FortiGate appliances. These sniffers were engineered to monitor network traffic passing through the device and intercept authentication data — including usernames, passwords, session tokens, and other sensitive credentials — in transit. This passive interception technique allowed threat actors to remain hidden for extended periods while continuously exfiltrating valuable data.
The scale of the campaign is particularly alarming. FortiGate devices sit at the perimeter of corporate and government networks, meaning that compromising one effectively gives an attacker a privileged vantage point over all traffic flowing in and out of the organization. A sniffer operating at this level has access to an extraordinary volume of sensitive communications.
How the Custom Sniffer Works
At the heart of the FortiBleed operation is the use of purpose-built sniffer software tailored to the FortiGate platform. Unlike generic packet-capture tools, this custom malware was designed with the specific architecture and traffic patterns of FortiGate devices in mind, making it more efficient, harder to detect, and better suited to its harvesting objectives.
Once deployed on a compromised device, the sniffer operates quietly in the background, inspecting network packets and filtering for authentication-related data. This includes credentials submitted over management interfaces, VPN authentication exchanges, and other sensitive protocol communications that routinely flow through perimeter firewall appliances.
The use of a custom tool rather than an off-the-shelf solution also suggests a well-resourced threat actor — one with both the technical capability to develop targeted malware and the operational patience to run a long-term credential harvesting campaign. Security analysts have noted that this level of sophistication is commonly associated with state-sponsored actors or highly organized cybercriminal groups operating with nation-state-level resources.
Why FortiGate Devices Are a High-Value Target
Fortinet's FortiGate firewalls are among the most widely deployed network security appliances in the world. Their ubiquity in enterprise and government environments makes them an attractive target for threat actors seeking to compromise multiple high-value organizations through a single attack vector. When a vulnerability is discovered in a platform this common, the potential blast radius is enormous.
Historically, Fortinet devices have been the subject of several critical vulnerability disclosures, and they have consistently appeared on lists of most-exploited devices published by agencies such as CISA and the NSA. The FortiBleed campaign exploits this reality, taking advantage of the fact that many organizations are slow to patch network appliances — particularly perimeter devices — due to concerns about downtime and operational disruption.
From an attacker's perspective, a compromised FortiGate device offers several strategic advantages:
- Persistent access to all inbound and outbound network traffic, enabling passive credential harvesting over extended periods.
- A trusted position within the network that can facilitate lateral movement and deeper infiltration of target environments.
- Access to VPN credentials and session tokens that can be used to impersonate legitimate remote users without triggering standard security alerts.
- The ability to observe network topology and identify additional targets within the organization's infrastructure.
SOCRadar's Key Findings
SOCRadar's investigation into the FortiBleed campaign revealed several critical details about the operation's scope and methodology. The security firm identified multiple compromised FortiGate devices across different regions, all showing signs of the same custom sniffer tooling. The consistency of the tools and tactics across geographically dispersed targets strongly suggests a single, coordinated threat actor rather than opportunistic attacks by separate groups.
The research also highlighted the challenge that blue teams face when trying to detect this type of attack. Because the sniffer operates passively and does not generate significant anomalous traffic itself, standard intrusion detection systems may fail to flag the activity. Detection often requires deep inspection of device logs, firmware integrity checks, and behavioral analysis — capabilities that many organizations lack or do not apply consistently to their network appliances.
How Organizations Can Protect Themselves
The FortiBleed campaign underscores the urgent need for organizations to take the security of their network perimeter devices seriously. Recommended protective measures include the following:
- Patch promptly and consistently. Apply all available Fortinet security updates as quickly as operationally feasible. Many FortiBleed victims were running outdated firmware containing known vulnerabilities.
- Audit device configurations regularly. Review FortiGate configuration files and running processes for unauthorized changes or unexpected software components.
- Restrict management interface access. Limit access to device management interfaces to trusted IP addresses and enforce multi-factor authentication wherever possible.
- Monitor for indicators of compromise. Use SOCRadar's published indicators of compromise and threat intelligence feeds to hunt for FortiBleed-related activity on your network.
- Conduct firmware integrity verification. Regularly verify that device firmware has not been tampered with, as some advanced attackers modify firmware to achieve persistence that survives standard remediation efforts.
- Rotate credentials aggressively. If a compromise is suspected, immediately rotate all credentials that may have been exposed, including VPN accounts, administrative passwords, and service account tokens.
The Broader Implications for Network Security
The FortiBleed campaign is a stark reminder that network security appliances — the very devices organizations rely on to protect their perimeters — are themselves high-value targets that require rigorous security management. Too often, firewalls, VPN gateways, and similar devices are deployed and then left largely unmonitored, treated as fixed infrastructure rather than as attack surfaces that demand continuous attention.
As threat actors grow increasingly sophisticated in their targeting of perimeter devices, organizations must evolve their security programs to match. This means integrating network appliances into vulnerability management programs, extending endpoint detection and response philosophies to cover network hardware, and ensuring that threat intelligence pertaining to platforms like FortiGate is acted upon quickly when new campaigns are identified.
The FortiBleed campaign is not an isolated incident. It is part of a growing trend of persistent, intelligence-driven attacks against network infrastructure. Understanding how these attacks work — and responding with both urgency and rigor — is essential for any organization serious about protecting its most sensitive data and systems.