ACCORDING to Amazon Threat Intelligence, a Russian-speaking, financially motivated threat actor used commercial generative AI services to compromise over 600 FortiGate devices across 55 countries between 11 January and 18 February 2026. The campaign did not rely on FortiGate vulnerabilities but succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, with AI enabling multiple phases of the attack cycle.
The actor, described as having limited technical capabilities, used several AI tools to develop tooling, plan the attack, and generate commands, with one primary AI tool and a secondary fallback for pivoting within compromised networks. Amazon’s findings indicate the group extracted complete credential databases, breached multiple organisations’ Active Directory environments, and targeted backup infrastructure, likely in preparation for ransomware deployment.
The operation involved systematic scanning of FortiGate management interfaces via ports 443, 8443, 10443 and 4443 from an exposed IP, with data showing compromises across clustered devices within several regions. The report notes that Fortinet appliances are an increasingly attractive target and urges organisations to avoid exposing management interfaces to the internet, rotate credentials, implement multi-factor authentication for admin and VPN access, isolate backup servers, and maintain up-to-date software.