The NCSC (the UK National Cyber Security Centre) and CISA both issued alerts on 18 June after a database of 86,644 Fortinet FortiGate firewall credentials, spanning 194 countries, surfaced in the criminal underground 1. The attackers used no zero-day. The operation, dubbed FortiBleed, harvested credentials from earlier Fortinet incidents and intercepted traffic on already-compromised devices, running since at least February 2. The discoverer, Ukrainian researcher Volodymyr Diachenko, dated his finding to 13 June 3.
What the dataset carries matters more than its scale. It logs organisation revenue bands, employee counts, and sector tags, the profiling a ransomware crew would otherwise spend weeks assembling, and it had not been dumped on any dark-web forum as of mid-June 4. A 45-GPU cracking rig threw roughly 1.16 billion authentication attempts at 320,000 targets 5. The revenue bands and sector tags give the operation away: an encryption crew does not need that metadata to lock files, but an intelligence operation needs it to prioritise. The attribution points to a Russian-speaking group with NATO-weighted targeting, and the decision to hold the data privately rather than sell it reads as preparation, not opportunism. That is the Volt Typhoon posture, the Chinese state-linked pre-positioning in US infrastructure: acquire access now, use it at a moment of the operator's choosing.
Edge devices keep opening the door. Check Point's VPN concentrator ran exploited for a month before its patch landed , and the FIRESTARTER Cisco implant survived every firewall patch thrown at it . The firewall is no longer only the way in; it is also the credential store. A leak with no exploit at all still earned two government alerts in a single day, because the harvested logins open the same doors a zero-day would, quietly and at national scale.
