Nation-State Level Compute Power From The AI Rush Enabled The Massive Fortibleed Campaign

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

<h1>Nation-State Level Compute Power From The AI Rush Enabled The Massive Fortibleed Campaign</h1>

<div>
    <h2>Executive Summary</h2>
    <ul>
        <li>Following <a href="https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure" rel="noreferrer" target="_blank">Hudson Rock’s initial ethical disclosure of the FortiBleed campaign</a>, which exposed 75,000 compromised Fortinet firewalls, deeper analysis into the threat actor infrastructure reveals a chilling reality regarding modern cryptographic attacks.</li>
        <li>The attackers bypassed traditional encryption by renting a massive, decentralized GPU cluster via Vast.ai, weaponizing the hardware boom created by the GenAI industry.</li>
        <li>Operating 36 enterprise class GPUs managed via Telegram, the operators achieved nation-state level processing power, capable of cracking hundreds of billions of hashes per second.</li>
        <li>Beyond just hardware, the attackers relied heavily on AI assisted code editors and agentic pentesting frameworks to fully automate their network intrusions.</li>
        <li>Initial access to Fortinet servers has long been commoditized data sold on underground cybercrime forums, but this campaign scales it to an industrial level.</li>
    </ul>
</div>

<p>When Hudson Rock researchers first disclosed the <strong>FortiBleed</strong> campaign, the cybersecurity community was staggered by the sheer volume. Exposing valid credentials for nearly 75,000 internet facing Fortinet FortiGate firewalls across 21,632 domains was an unprecedented compromise of global enterprise gateways.</p>

<p>But beyond the raw numbers, the mechanics of <em>how</em> the threat actors processed this data reveals a profound paradigm shift in cybercrime. The cybersecurity industry is heavily focused on advanced GenAI malware and deepfakes while often ignoring a much more practical operational risk: <strong>the commoditization of supercomputer class infrastructure.</strong></p>

<h2>The AI Boom’s Double Edged Sword</h2>

<p>Historically, executing massive cryptographic attacks, processing billions of mathematical operations per second to break encryption, required building custom hardware arrays or investing tens of millions into supercomputers. That level of industrial scale cryptographic power was the exclusive domain of state sponsored intelligence agencies.</p>

<p>Today, a financially motivated Initial Access Broker with a credit card can simply rent that exact same capability by the hour.</p>

<p>Instead of building a massive password cracking server, the FortiBleed attackers waited until they harvested a massive trove of encrypted configuration files from exposed Fortinet devices. They then turned to the decentralized cloud compute provider <strong>Vast.ai</strong> to rent raw, enterprise grade AI hardware.</p>

<img alt="Vast.ai GPU Rental Interface showing available high-end compute instances" src="https://www.infostealers.com/wp-content/uploads/2026/06/vastai1.png" />

<p>They spun up six high powered worker instances on demand, consisting of three instances with 4 GPUs each and three with 8 GPUs each. This created a distributed cluster of <strong>36 enterprise class GPUs</strong> managed entirely via a Telegram bot.</p>

<img alt="Vast.ai configuration panel for threat actor GPU instances" src="https://www.infostealers.com/wp-content/uploads/2026/06/vastai2.png" />

<p>By running parallel jobs through the open source framework Hashtopolis, the attackers were able to process massive volumes of stolen data at a velocity that traditional security models simply fail to account for.</p>

<img alt="Login page to the Hashtopolis portal of the hacker's server" src="https://www.infostealers.com/wp-content/uploads/2026/06/hashtopolis.png" />
<div>Login page to the Hashtopolis portal of the hacker’s cracking server.</div>

<h2>An Entirely AI Driven Pipeline</h2>

<p>The reliance on the AI boom did not stop at the hardware. Analysis of the attacker infrastructure reveals that the threat actors utilized AI assisted code editors like Cursor to write the scripts and Telegram bots that managed their massive cracking cluster. Furthermore, once they obtained the plaintext passwords and pivoted into the internal networks, the operators utilized open source agentic penetration testing frameworks to automate their Active Directory enumeration.</p>

<p>This means the operators used AI to write their management code, AI pentesting frameworks to map the internal networks, and AI boom GPU clusters to crack the passwords. It is a highly optimized, fully modern intrusion pipeline.</p>

<h2>The Cryptographic Math: Billions of Hashes per Second</h2>

<p>To put this into perspective, we must look at the raw hash cracking velocity this rented cluster provided. GPUs are exceptionally efficient at parallelized integer math, which is the foundation of password cracking. At current market rates on Vast.ai, renting an enterprise-class RTX 4090 costs approximately $0.40 per hour. This means the entire 36-GPU cluster cost the attackers roughly <strong>$14.40 per hour, or under $350 for a full day of operation</strong> – a trivial operational expense for the devastating access it provided.</p>

<ul>
    <li><strong>Legacy Fortinet Hashes (Salted SHA-256):</strong> For years, Fortinet used a custom salted SHA-256 implementation. Running in perfect parallel, a 36 GPU cluster composed of modern hardware (like RTX 4090s) is capable of processing up to 720 Billion raw hashes every single second. At these speeds, standard complex passwords are mathematically exhausted in a matter of minutes.</li>
    <li><strong>Modern Fortinet Hashes (PBKDF2):</strong> Newer FortiOS versions utilize PBKDF2, an algorithm designed to intentionally bog down GPU performance. Yet, even with the algorithm actively fighting the hardware, the distributed cluster still produced a combined output of roughly 180 Million to 360 Million hashes per second. This allows attackers to run massive, highly targeted dictionary and rule based attacks against internal network credentials in seconds.</li>
</ul>

<p>This is what nation state compute on a credit card looks like. They ingested exported FortiOS configuration files, instantly exposed the plaintext passwords of firewall administrators, and subsequently deployed network sniffers to capture and crack roughly 143,000 Kerberos and 33,000 NetNTLM hashes targeted directly at internal domain controllers.</p>

<h2>The Irony of the GenAI Craze</h2>

<p>Renowned cybersecurity researcher Kevin Beaumont recently highlighted this exact dynamic in his own analysis of the FortiBleed infrastructure on DoublePulsar.</p>

<img alt="Snippet from Kevin Beaumont's blog on FortiBleed and GPU usage" src="https://www.infostealers.com/wp-content/uploads/2026/06/kevin-blog.png" />

<p>In <a href="https://doublepulsar.com/an-update-on-fortibleed-whats-happening-with-victim-orgs-c0671a50e7f4" rel="noreferrer" target="_blank">his update on the victim organizations</a>, Beaumont points out the dark irony of the current tech landscape:</p>

<blockquote>
    “This is a side impact of the drunk GenAI stupidity gripping organisations worldwide… Get a VISA card, rent by the hour and log in a few minutes later. All your irreversibly encrypted passwords aren’t looking so hot in the age of on demand compute at scale…<br /><br />
    Organisations are constantly worrying about Generative AI threats, but this incident has tens of thousands of organisations without even multi factor authentication setup… Generative AI craze has lowered the bar so Mr Bean can crack passwords quickly using his mums credit card. Thanks, Sam Altman.”
</blockquote>

<h2>The Commoditization of Initial Access</h2>

<p>While the scale of FortiBleed is unprecedented, the underlying business model is not new. Initial access to Fortinet servers has long been commoditized data, frequently packaged and sold on underground cybercrime forums. Threat actors operate in a highly structured economy where network compromise is treated as a volume business.</p>

<p>For instance, Initial Access Brokers like the Russian speaking threat actor “SantaAd” are regularly observed selling bulk access to compromised Fortinet devices to ransomware affiliates and other cybercriminals.</p>

<img alt="Threat actor SantaAd selling access to Fortinet devices on a Russian cybercrime forum" src="https://www.infostealers.com/wp-content/uploads/2026/06/santaad.png" />
<div>Threat actor SantaAd selling access to compromised Fortinet devices on a Russian cybercrime forum.</div>

<p>FortiBleed represents the weaponization of this exact business model. By pairing commoditized Initial Access Broker tactics with rented, enterprise grade AI hardware, the attackers industrialized the entire process from scanning to cracking to sales.</p>

<h2>Identity &amp; Infostealers: The Ultimate Perimeter Bypass</h2>

<p>From a practical security perspective, the FortiBleed campaign underscores a fundamental truth that we continually emphasize at Hudson Rock: <strong>Perimeter defenses are only effective if their authentication mechanisms are secure.</strong></p>

<p>Whether administrative credentials are systematically cracked from exfiltrated config files using rented GPUs, or harvested wholesale via Infostealer malware infections on employee devices, the end result is identical. Identity remains the ultimate objective.</p>

<p>When an attacker possesses a valid plaintext credential, traditional signature based network defenses become blind. The threat actors do not need to exploit a complex zero day vulnerability; they simply walk through the front door using valid, authorized accounts. The speed at which Initial Access Brokers operate today, treating network compromise as a high velocity volume business to sort and feed access downstream to ransomware groups, means organizations have zero margin for error.</p>


<div>
    <h2><img alt="" src="https://s.w.org/images/core/emoji/17.0.2/72x72/1f6a8.png" /> Free Look-Up Tool for Affected Organizations</h2>
    <p>Because of the critical nature of this massive campaign, <a href="https://www.hudsonrock.com" rel="noreferrer" target="_blank">Hudson Rock</a> is committed to performing ethical disclosures for affected organizations.</p>
    <p>We have launched a dedicated portal where companies can verify if their domains are part of this compromised dataset. Following confirmation of impact, organizations can reach out directly through the tool to receive a full ethical disclosure regarding their exposure.</p>
    
    <a href="https://www.hudsonrock.com/fortinet" rel="noreferrer" target="_blank">Search Your Domain Now</a>
    
    <br />
    
    <a href="https://www.hudsonrock.com/fortinet" rel="noreferrer" target="_blank">
        <img alt="Hudson Rock Fortinet Free Look-Up Tool Homepage" src="https://www.infostealers.com/wp-content/uploads/2026/06/header.png" />
    </a>
    <p><small><em>The free Hudson Rock lookup portal for affected organizations.</em></small></p>

    <a href="https://www.hudsonrock.com/fortinet" rel="noreferrer" target="_blank">
        <img alt="Hudson Rock Fortinet Lookup Tool showing an example with Comcast" src="https://www.infostealers.com/wp-content/uploads/2026/06/comcast_example.png" />
    </a>
    <p><small><em>Example: Verifying if an organization like Comcast was compromised in the breach.</em></small></p>
</div>