Fortinet Hacks Led To 20,000 FortiGate Devices Breached: Report

The attacks by a China-linked hacking group involved exploitation of a zero-day vulnerability and occurred in 2022 and 2023, according to the Dutch military intelligence service.

Attacks by a China-linked hacking group in 2022 and 2023 led to the compromise of at least 20,000 Fortinet FortiGate devices, according to the Dutch military intelligence service.

The service posted its disclosure online, which was reported on by multiple media outlets Tuesday.

[Related: Network Security Devices Are The Front Door To An IT Environment, But Are They Under Lock And Key?]

According to a translation of the posting and a report by BleepingComputer, the Netherlands’ Military Intelligence and Security Service (MIVD) found that an espionage campaign by a China-affiliated threat actor breached at least 20,000 FortiGate firewalls worldwide within several months during 2022 and 2023.

The findings suggest that the campaign — which exploited a zero-day vulnerability in FortiOS and FortiProxy software — was significantly more widespread than previously believed, the MIVD disclosed, according to the translation and BleepingComputer.

During the campaign, 14,000 devices were compromised in the two-month period prior to the disclosure of the remote code execution (RCE) vulnerability by Fortinet in December 2022, according to the MIVD. Western governments, defense industry companies and international organizations were among those targeted, the agency found.

CRN has reached out to Fortinet for comment.

The RCE vulnerability reportedly exploited in the campaign is tracked at CVE-2022-42475 and earlier this year was associated with attacks by China-linked threat group Volt Typhoon. U.S. agencies said in February that Volt Typhoon has been known to obtain initial access to critical infrastructure IT systems by exploiting network appliances from a number of vendors including Fortinet.

In one example of a “confirmed compromise” shared by the U.S. agencies, Volt Typhoon “likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched,” the agencies said at the time.

Fortinet released a blog post at the time that pointed to “the need for organizations to have a robust patch management program in place and to follow best practices to ensure a secure infrastructure.”

“We continue to urge customers to exercise timely patching practices and continued monitoring of their networks for unusual activity to help mitigate cyber risk,” Fortinet said in a statement provided to CRN in February.