“Attribution is ongoing, but the operational fingerprints are clear,” SOCRadar researchers said in a blog post, adding that the tooling and targeting choices are consistent with Russian-speaking threat actors.
According to independent analyses, including by SOCRadar, Hudson Rock, and security researcher Kevin Beaumont, the threat actors systematically collected configuration files from internet-facing Fortinet FortiGate firewalls and used them to recover working administrator credentials. The initial access vector is presently unknown.
CEO of watchTowr Benjamin Harris said the campaign is consistent with what he has been seeing lately. “The uncomfortable reality is that modern exploitation isn’t always about immediate impact,” he said. “It’s about harvesting data that retains value long after the underlying vulnerability has been patched.”
