Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Brute-force cyberattacks originating in Middle East surge in Q1

Hackers have primarily targeted SonicWall and Fortinet FortiGate devices, according to researchers.

Published April 14, 2026
David Jones's headshot
Reporter
Digital shield firewall with central computer processor and futuristic circuit board
Getty Images

A surge of brute force authentication attacks targeted network devices during the first quarter of 2026, with the vast majority of threat activity coming from the Middle East, according to a report released Tuesday by Barracuda

Almost 90% of the brute-force attacks originated from various Middle East locations, and the leading targets were SonicWall and Fortinet FortiGate devices, according to Barracuda researchers. These attacks accounted for more than half of all of the threat activity tracked by Barracuda between February and March. 

“These attacks were identified based on the geo-location of the IPs involved, nearly all originating from the Middle East,” Anthony Fusco, manager of cybersecurity analysts at Barracuda, told Cybersecurity Dive. 

Fusco noted that IP addresses alone are not considered a reliable indicator, but said it was “safe to assume” that a combination of state-linked and professional groups were involved. Attacks from opportunistic groups were also likely involved. 

Hackers have been aggressively scanning perimeter devices for weak or exposed credentials, according to the blog post. 

The surge in brute force activity coincided with increased targeting from Iran-nexus groups after the U.S. and Israel launched a bombing campaign in late February. U.S. authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency, warned last week that Iran-linked hackers have targeted water, energy and other critical infrastructure sites in the U.S. 

Barracuda researchers could not explicitly link the surge in threat activity to the war, but the timeline overlaps with increased tension in the region. 

Security teams should enforce the use of multifactor authentication on firewalls and VPNs and use complex passwords, according to Barracuda. Also, organizations should monitor for repeated, failed login attempts. 

The focus on SonicWall and Fortinet is not unexpected, according to researchers. These devices are considered “high-value targets for initial access,” as they sit at the edge of remote access. 

SonicWall customers in late summer 2025 were hit by a wave of brute force attacks against the MySonicWall cloud backup service. Those attacks were linked to a state-sponsored threat actor. 

FortiGate appliances have been targeted in recent months by hackers using malicious single-sign-on logins, according to researchers at Arctic Wolf.

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Blackpoint Cyber Releases 2026 Threat Report
From Blackpoint Cyber
April 07, 2026
Blackpoint Cyber logo
BrandShield Expands Brand and Digital Risk Protection to AI Platforms, Where Millions of Consu…
From BrandShield
April 01, 2026
BrandShield logo
Blackpoint Cyber Appoints Jacob Yavil as Chief Financial Officer
From Blackpoint Cyber
April 06, 2026
Blackpoint Cyber logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
Editors' picks
Latest in Threats
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell