According to the research, the threat actor operates an automated infrastructure that scans the internet for Fortinet devices and attempts authentication using a curated set of previously leaked or compromised credentials. Successful logins are recorded and continuously revalidated, creating a database of confirmed working credentials. Researchers also observed evidence suggesting that compromised devices may have been used to collect additional credentials and expand the victim pool through further credential reuse and validation activities.
The campaign appears focused on Fortinet SSL VPN and management interfaces exposed to the internet, including both standard and non-standard HTTPS ports. Analysis of the compromised credential set indicates extensive use of default, administrative, and organization-specific accounts, suggesting that password reuse, unchanged credentials from previous breaches, and insufficient account hardening contributed significantly to the success of the operation. Researchers reported affected organizations across government, telecommunications, healthcare, education, energy, and commercial sectors worldwide.