Full Report
Researchers scoured logs, finding opsec fail for at least one person who was working with INC and Lynx simultaneously
Analysis Summary
# Threat Actor: FortiBleed IAB Group (Affiliated with INC and Lynx)
## Attribution & Identity
- **Actor Name:** Currently identified as an Initial Access Broker (IAB) group (Unnamed specifically in the article).
- **Associated Groups:**
- **INC Ransom:** A known ransomware-as-a-service (RaaS) operation.
- **Lynx:** A ransomware group.
- **Identity Details:** SOC Radar’s Threat Research Unit (STRU) identified a group consisting of approximately 20 members. At least one operator was found to be working for both INC and Lynx simultaneously, linking the IAB infrastructure directly to these ransomware brands.
## Activity Summary
The actor conducted a massive credential-harvesting and network-intrusion campaign known as **FortiBleed** (disclosed June 17, 2026). The group targeted over 430,000 firewalls to intercept SSL VPN authentication hashes. Following the harvest, the group transitioned from access brokering to active ransomware negotiation, with at least 12 specific ransomware attacks directly linked to this campaign's victims.
## Tactics, Techniques & Procedures
- **Credential Interception:** Intercepting SSL VPN authentication hashes (specifically targeting SHA-256 with salt) from Fortinet portals.
- **Brute-Forcing/Cracking:** Utilizing a significant 45-GPU cluster hosted by **Hashtopolis** to crack intercepted hashes.
- **Lateral Movement & Escalation:** Using cracked credentials to access VPNs, eventually gaining access to Domain Controllers and achieving Domain Admin privileges.
- **Persistence:** Maintaining access to Active Directory environments for hand-off to ransomware affiliates.
- **Exfiltration:** Evidence of copying classified files (specifically from defense sectors).
**MITRE ATT&CK IDs:**
- **T1558:** Steal or Forge Kerberos Tickets (Implied via hash interception)
- **T1110.002:** Brute Force: Password Cracking
- **T1078:** Valid Accounts
- **T1018:** Remote System Discovery
## Targeting
- **Sectors:** Technology, Manufacturing, Telecommunications, Logistics, Professional Services, and Defense (specifically a NATO contractor).
- **Geography:** Global footprint (implied by the list of multinational victims).
- **Victims:**
- **Confirmed/High Confidence:** FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PwC, Accenture, Oracle, and an unnamed Turkish NATO defense contractor.
- **Scale:** 430,000 firewalls targeted; 11,250 portals scanned; 409 targets with confirmed admin-level access.
## Tools & Infrastructure
- **Hashtopolis:** A platform used for distributed password cracking.
- **Hardware:** 45-GPU cluster used for high-speed hash cracking.
- **Compromised Infrastructure:** Hundreds of servers mapped across the globe used to intercept traffic.
- **Targeted Software:** Fortinet FortiGate SSL VPNs using legacy SHA-256 password hashing.
## Implications
The FortiBleed campaign demonstrates a highly efficient "pipeline" from vulnerability exploitation to ransomware deployment. The overlap of operators between the IAB and major ransomware brands (INC and Lynx) suggests that IABs are becoming more deeply integrated into the RaaS ecosystem rather than acting as independent third parties. For organizations, a compromise of edge network gear is no longer just a data leak; it is a high-probability precursor to a full-scale ransomware event.
## Mitigations
- **Credential Reset:** Force a password reset for all administrative accounts on Fortinet devices to ensure credentials are re-stored using the more secure PBKDF2 algorithm (introduced by Fortinet in 2025).
- **Multi-Factor Authentication (MFA):** Implement hardware-based MFA for all VPN and administrative access to prevent cracked credentials from being used for entry.
- **Patching:** Ensure all Fortinet appliances are updated to versions that support PBKDF2 by default.
- **Audit Logs:** Monitor Active Directory logs for unusual Domain Admin logins originating from VPN IP ranges.