Full Report
Around 270 organizations in Belgium, including law firms, local councils and schools, were affected by a cyber attack in February after their firewalls were compromised. According to Belgian cybersecurity company Secutec, more than 100 of these organizations can still be accessed online using stolen administrator accounts. The attack is linked to a Russian hacking group…
Analysis Summary
# Incident Report: Mass Compromise of Belgian Organizations via Firewall Vulnerabilities
## Executive Summary
In February 2026, approximately 270 Belgian organizations, including government entities and schools, were compromised through vulnerabilities in Fortinet firewall systems. Attributed to a Russian hacking group, the attack resulted in the theft of administrator credentials, leaving over 100 organizations vulnerable to persistent unauthorized access months after the initial breach.
## Incident Details
- **Discovery Date:** Reported June 2026 (Secutec analysis)
- **Incident Date:** February 2026
- **Affected Organization:** ~270 organizations (including law firms, local councils, and schools)
- **Sector:** Government, Legal, Education
- **Geography:** Belgium
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026
- **Vector:** Exploitation of firewall vulnerabilities.
- **Details:** Attackers targeted edge devices (Fortinet firewalls) to gain an initial foothold in the networks of Belgian entities.
### Lateral Movement
- **Details:** Following initial access to the firewalls, attackers moved to capture administrative credentials.
### Data Exfiltration/Impact
- **Details:** Theft of administrator accounts. Over 100 organizations remained accessible to the threat actors as of June 2026 due to un-remediated credential theft.
### Detection & Response
- **How it was discovered:** Analysis by Belgian cybersecurity firm Secutec.
- **Response actions taken:** Public disclosure by Secutec and reporting via Belga News Agency; notification of affected entities regarding persistent risks.
## Attack Methodology
- **Initial Access:** Exploitation of vulnerabilities in Fortinet security appliances.
- **Persistence:** Maintaining access via stolen administrator accounts.
- **Privilege Escalation:** Gaining administrator-level control over firewall management interfaces.
- **Defense Evasion:** Use of legitimate but stolen credentials to blend with normal traffic.
- **Credential Access:** Theft of administrative login credentials during the firewall compromise.
- **Impact:** Wide-scale unauthorized access to critical infrastructure and public sector networks.
## Impact Assessment
- **Financial:** Not explicitly disclosed, but significant resource requirements for remediation across 270+ entities.
- **Data Breach:** Compromised administrator credentials for over 100 organizations.
- **Operational:** Potential for ongoing eavesdropping, data theft, or network disruption.
- **Reputational:** One of the largest security incidents in Belgium involving a major cybersecurity supplier.
## Indicators of Compromise
- **Network indicators:** Connections to known malicious IPs associated with Russian state-sponsored actors (defanged: [x].[x].[x].[x]).
- **Behavioral indicators:** Unauthorized logins to Fortinet management consoles using administrative accounts from unexpected geographic locations or at unusual times.
## Response Actions
- **Containment measures:** Identification of affected systems by Secutec.
- **Eradication steps:** Recommendations for password resets and firmware patching for Fortinet devices.
- **Recovery actions:** Continuous monitoring for organizations where administrator accounts remain exposed.
## Lessons Learned
- **Key takeaways:** Exploiting a single widely-used vendor (Fortinet) can provide a "force multiplier" effect for threat actors to hit hundreds of targets simultaneously.
- **What could have been done better:** Organizations failed to rotate credentials and audit account access immediately after the February firewall breach, allowing attackers to maintain access for months.
## Recommendations
- **Patch Management:** Promptly apply security updates for edge devices and firewalls (specifically Fortinet systems).
- **Identity Management:** Implement Mandatory Multi-Factor Authentication (MFA) for all administrative accounts, especially those accessing security infrastructure.
- **Incident Post-Mortem:** After a hardware compromise, organizations must assume all credentials stored on or passed through that device are compromised and perform a global password reset.