Everything you need to know about the Fortinet data breach

A Ukrainian-linked threat group has leaked 440 GB of data belonging to Fortinet on a popular hacking forum after ransom negotiations broke down.

On 12 September, a group operating under the provocative name ‘Fortibitch’, leaked the data cache believed to have been exfiltrated from the company’s Microsoft Azure Sharepoint server.

The group released credentials to an S3 storage bucket on the underground breach forum, where it claimed other cyber criminals would be able to access the stolen data.

The threat actor’s listing noted it had attempted to negotiate a ransom for the stolen information with Fortinet’s leadership, but after talks stalled it decided to leak the dataset.

It accused Fortinet of failing to file an SEC form 8-K, in which firms in the US are required to disclose major cyber incidents.

Fortinet acknowledged the incident in a statement released on 12 September, confirming there was unauthorized access to a third party storage drive.

“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers.”

According to the dark web listing, the leaked data is said to include employee resources, finance documents, HR documents from India, product offerings, US sales data, as well as professional services and marketing documents.

Fortinet customers could be affected, but stolen information not ‘critical’ 

Fortinet did not confirm exactly how many customers were impacted, but based on the figure provided in its statement this could number in the tens of thousands.

The firm noted that there was no evidence the incident had resulted in any malicious activity affecting those customers, however.

It added that the company’s operations, products, and services were not impacted, largely due to the limited nature of the access gained by the threat group.

“We have not experienced, and do not currently believe that the incident is reasonably likely to have a material impact to our financial condition or operating results,” the company said in an advisory.

Fortinet immediately engaged an external forensics specialist to confirm its own findings, confirming the incident did not involve any data encryption, deployment of ransomware, or access to the firm’s corporate network.

Reporting on the incident, threat intelligence firm CloudSEK stated with “medium confidence” that the Fortibitch group is based in Ukraine.

This appears to be due to references to the Ukrainian cyber gang DC804 in its Breach Forums post, although CloudSEK admitted no direct connection has been established between the two entities.

It added Fortinet’s claims the information was not critical are likely to be true, as if it was the group would have likely tried to sell the data, rather than simply release it to the public.