Full Report
On January 14th, 2025, Belsen Group emerged in the underground forum Breach Forums publishing a list of sensitive data extracted from vulnerable Fortinet FortiGate devices. Since then, they have expanded their malicious activities into acting as initial access brokers. Who are they and what do we know about them? In this blog we’ll give you […] The post Belsen Group: Analyzing a new and ambitious threat group appeared first on Outpost24.
Analysis Summary
# Threat Actor: Belsen Group
## Attribution & Identity
- **Identification:** Newly emerged threat actor active since at least January 2025.
- **Known Aliases and Associated Groups:** None explicitly named as an associated group, but they operate across underground forums (Breach Forums) and public/social media platforms (X/Twitter, Telegram).
## Activity Summary
Belsen Group initially focused on leveraging vulnerabilities in Fortinet FortiGate devices to extract and publicly release sensitive network data. This initial phase (January 2025) focused on establishing credibility and notoriety by freely distributing data from over 15,000 compromised firewalls. By late January 2025, the actor shifted to monetizing their access, selling the stolen configuration data. In early February 2025, Belsen Group expanded operations to act as an Initial Access Broker (IAB), selling network access to high-profile victims, including a major bank in East Asia and an airway company in East Africa.
## Tactics, Techniques & Procedures
- Initial exploitation involving leveraging known, potentially older, vulnerabilities in network perimeter devices for configuration and credential theft.
- **Specific Activity:** Extraction of sensitive data (plaintext VPN credentials, device configurations, IP addresses) from compromised Fortinet FortiGate devices.
- **Potential Exploited Vulnerability:** Linked to **CVE-2022-40684** (an authentication bypass vulnerability exploited as a zero-day in 2022).
- **Monetization Tactics:** Free data distribution (for notoriety) -> Selling configuration data -> Selling direct network access (IAB).
## Targeting
- **Sectors:** Finance, Technology, Defense, Major Banking, Air Transport/Aviation.
- **Geography:** Global reach, with leaked data organized by country; specifically targeted a major bank in East Asia and an airway company in East Africa for network access sales.
- **Victims:** Over 15,000 Fortinet FortiGate devices compromised initially, affecting users in 145 different countries.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed, but their primary "tool" appears to be leveraging existing device vulnerabilities.
- **Infrastructure (C2, domains, IPs):**
- Communication via X (formerly Twitter), Telegram, and dark web forums (e.g., Breach Forums).
- Operated a proprietary dark web site for data sales and announcements.
- Sales transactions handled via Telegram instructions.
- No specific C2 IPs or domains are provided in the source text, only platforms used for communication/sales.
## Implications
Belsen Group represents a highly ambitious and rapidly evolving emerging threat for 2025. Their quick transition from low-level data scraping to a transactional Initial Access Broker model targeting high-value sectors (banking, defense) significantly increases their threat level. Organizations relying on unpatched or misconfigured Fortinet devices remain at high risk of initial compromise, leading to potential network intrusion sales.
## Mitigations
- Immediate patching and rigorous monitoring of Fortinet FortiGate devices, specifically reviewing exposure related to **CVE-2022-40684** and similar authentication bypass vulnerabilities.
- Organizations operating Internet-facing perimeter devices (especially firewalls/VPNs) should conduct vulnerability scans and ensure login interfaces are not publicly exposed if not strictly necessary.
- Monitor underground forums and social media platforms (X, Telegram) for early indicators of data leaks or access sales mentioning the group.