A sophisticated, AI-assisted cyberattack campaign has successfully compromised more than 600 FortiGate devices across 55 countries. The financially motivated threat actor, believed to be Russian-speaking, leveraged commercial generative AI tools to overcome technical limitations and scale their operations between January 11 and February 18, 2026. The attack did not exploit FortiGate vulnerabilities but rather targeted exposed management interfaces and weak, single-factor authentication credentials.

Key Takeaways

• A financially motivated, Russian-speaking threat actor used AI to compromise over 600 FortiGate devices in 55 countries.

• The attack exploited exposed management ports and weak credentials, not FortiGate vulnerabilities.

• AI was used for tool development, attack planning, and command generation, lowering the entry barrier for cybercrime.

• Post-exploitation activities included Active Directory compromise and targeting of backup infrastructure.

• Recommendations focus on securing management interfaces, enforcing MFA, and credential hygiene.

The AI-Assisted Attack Methodology

The threat actor, described as having limited technical skills, utilized multiple commercial generative AI services to facilitate various stages of the attack lifecycle. This included developing custom tools, planning attack strategies, and generating commands. One AI tool served as the primary engine, while another acted as a fallback for network pivoting. This reliance on AI allowed a single individual or small group to achieve an operational scale previously requiring a larger, more skilled team.

Exploiting Fundamental Security Gaps

Instead of exploiting known vulnerabilities in FortiGate devices, the attackers systematically scanned for internet-exposed management interfaces on ports 443, 8443, 10443, and 4443. They then attempted to authenticate using commonly reused or weak credentials that lacked multi-factor authentication. This approach allowed them to gain access to sensitive configuration files, which contained SSL-VPN and administrative credentials, network topology information, and firewall policies.

Post-Exploitation and Targeting

Once access was established, the threat actor deployed AI-assisted scripts to parse and decrypt the stolen configuration data. Their post-exploitation activities were extensive, including compromising Active Directory environments through DCSync attacks, harvesting credentials, and targeting backup infrastructure, such as Veeam Backup & Replication servers. This suggests a potential prelude to ransomware deployment. The attackers demonstrated a pattern of moving to less secure targets when encountering hardened systems, indicating a preference for efficiency over persistence.

Geographic Spread and Impact

The campaign was sector-agnostic, indicating automated mass scanning for vulnerable appliances. Compromised device clusters were detected across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. The attackers also utilized infrastructure at IP addresses 212.11.64.250 and 185.196.11.225 for their scanning and exploitation operations.

Recommendations for Defense

Security experts strongly advise organizations to take immediate steps to mitigate such threats. Key recommendations include:

• Removing FortiGate management interfaces from public internet exposure.

• Enforcing strong, unique credentials with multi-factor authentication for all administrative and VPN access.

• Regularly rotating SSL-VPN and administrative credentials.

• Auditing Active Directory for suspicious activity, such as DCSync operations.

• Hardening backup infrastructure and monitoring for unauthorized access attempts.

• Ensuring all software is up-to-date and monitoring for unintended network exposure.

The trend of AI-augmented threat activity is expected to grow, making robust defensive fundamentals like patch management, credential hygiene, and network segmentation crucial for organizations.

Sources

• AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries, The Hacker News.

• AI-Assisted Attack Compromises 600 Fortinet FortiGate Firewalls Worldwide in Five-Week Campaign, Rescana.

• Hackers Leveraging Multiple AI Services to Compromise 600+ FortiGate Devices, CybersecurityNews.