Hudson Rock reported that attackers “actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis.” The GPU cluster was used to crack those hashes by running massive combinations of plain-text passwords until the correct ones were identified. These recovered passwords allowed threat actors to move laterally and compromise Active Directory environments and other centralized authentication systems.

“This aggressive methodology has led to severe, real-world consequences,” Hudson Rock said. “Diachenko’s research confirmed full network compromises at multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. Most alarmingly, this includes a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated by the group.”

Researcher Diachenko summarized the campaign plainly: “The scale is the sophistication.”

A Self-Improving Cracking System

The operation extended beyond raw compute power. Attackers ran a “feedback-driven, 12-level recursive system” rather than a single flat dictionary pass. Password candidates were drawn from custom dictionaries containing up to eight words, common keyboard patterns, and cracking rules — each looping back through successive stages. Successful guesses were fed back as seeds to generate additional candidates, meaning the cracking techniques grew more effective with every hit.

“They were quite innovative on that,” Diachenko said.

That innovation stands in sharp contrast to the group’s operational security. The attackers left identifiable artifacts on the server they used — a mistake widely regarded as amateurish in security circles.

Scope and Affected Organizations

Hudson Rock identified the top countries where compromised devices were found as India, the US, Taiwan, Mexico, Turkey, and Thailand. The most heavily affected industries included IT services, construction materials, telecommunications, construction and engineering, industrial equipment, and financial services.

Organizations whose data appeared in the database included Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture. Hudson Rock noted that thousands of additional entities were listed, including major government agencies and critical infrastructure providers.

Why Firewalls Remain a Prime Target

Firewalls have long been a favored network entry point for attackers. These devices accept inbound connections from the public internet, sit at the network perimeter, and provide pathways to sensitive internal resources.

Fortinet firewall users should review the available guidance on securing their devices. Given that the exposed data has been accessible to cybercriminals — and potentially to other threat actors who, like Diachenko, independently discovered it — the risk to affected organizations remains substantial.