While cybersecurity experts were busy patching last year’s vulnerabilities, two hacking groups quietly emerged from Yemen with an appetite for corporate data.
The Belsen Group burst onto the scene in January 2025, immediately flexing their muscles by leaking 1.6 GB of data from over 15,000 FortiGate devices. Not exactly subtle. They exploited CVE-2022-40684 in FortiOS and, in a classic “first taste is free” move, shared the data gratis to build street cred before shifting to selling network access. The group established a strong online presence with accounts on Tox, XMPP, Telegram and other platforms to maintain communication with potential buyers.
The Belsen Group didn’t just enter—they kicked down the door, announcing themselves with 15,000 compromised devices and zero subtlety.
Meanwhile, ZeroSevenGroup has been lurking around since July 2024. They’ve been busy too, targeting companies across Poland, Israel, USA, UAE, Russia, and Brazil. They even claimed to have breached Toyota’s US branch. Ambitious folks. They’ve also managed to tick off the Medusa Ransomware group, who accused them of scamming. Honor among thieves? Not so much.
The similarities between these groups are striking. Like, suspiciously striking. Both sell network access, write in the same style, and use identical “[ Access ] To…” title formats. They both claim Yemen origins and incorporate “group” into their usernames. Coincidence? KELA doesn’t think so.
Their exploitation techniques aren’t exactly revolutionary. Belsen hammered FortiGate firewalls while ZeroSevenGroup broke into multiple corporate databases. The results, however, are devastating. These attacks demonstrate why multi-factor authentication has become essential for protecting sensitive systems from unauthorized access.
The leak of 15,000+ FortiGate configurations exposed VPN credentials and firewall rules affecting government, healthcare, and financial sectors globally. Countries hit hardest include the US, UK, Poland, and Belgium. The most significant concentration of compromised devices was identified in Mexico and Thailand, creating particular concern for organizations in these regions.
The aftermath? A global scramble to update credentials, reconfigure firewalls, and rotate compromised certificates.
Are these groups working together? Probably. The evidence points to either direct collaboration or a shared template for their operations.
Either way, they’ve successfully carved out their niche in cybercrime’s ecosystem. And while security teams worldwide panic and patch, these groups are likely already eyeing their next target. Business as usual in the digital underworld.
