AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries

Russian Hackers Leverage AI to Breach 600+ FortiGate Devices in 55 Countries — Here’s What You Need to Know

In a groundbreaking revelation, cybersecurity researchers at Amazon Threat Intelligence have uncovered a large-scale cyber campaign where a financially motivated Russian-speaking threat actor exploited generative AI tools to compromise over 600 FortiGate devices across 55 countries. The campaign, active between January 11 and February 18, 2026, highlights a new era of cybercrime where AI bridges the gap between limited technical skills and large-scale operational success.

Unlike traditional attacks that exploit software vulnerabilities, this campaign succeeded by targeting exposed management ports and weak credentials on FortiGate appliances. The attackers, described as having limited technical capabilities, relied heavily on commercial generative AI tools to plan, develop, and execute their attacks. These AI tools assisted in everything from crafting attack strategies to generating commands, effectively turning an unsophisticated actor into a formidable threat.

Amazon’s Chief Information Security Officer, CJ Moses, emphasized that this operation represents a shift in the cybercrime landscape. “This is an AI-powered assembly line for cybercrime,” Moses stated, noting that the attackers achieved a scale of operation that would have previously required a much larger and more skilled team.

The attackers’ modus operandi involved systematically scanning FortiGate management interfaces exposed to the internet across multiple ports (443, 8443, 10443, and 4443). They then attempted to authenticate using commonly reused credentials. Once inside, they extracted full device configurations, including credentials, network topology, and device settings, enabling deeper network infiltration.

The stolen data was used to conduct post-exploitation activities such as reconnaissance, Active Directory compromise, credential harvesting, and targeting backup infrastructure—classic precursors to ransomware attacks. The campaign was sector-agnostic, indicating automated mass scanning for vulnerable appliances, with scans originating from IP address 212.11.64.250.

Amazon’s investigation revealed that the attackers deployed custom reconnaissance tools, with versions written in both Go and Python. Analysis of the source code showed clear indicators of AI-assisted development, including redundant comments, simplistic architecture, and naive JSON parsing via string matching rather than proper deserialization.

Following the reconnaissance phase, the attackers pursued several high-impact actions:

• Achieved domain compromise via DCSync attacks.
• Moved laterally across the network using pass-the-hash/pass-the-ticket attacks, NTLM relay attacks, and remote command execution on Windows hosts.
• Targeted Veeam Backup & Replication servers to deploy credential harvesting tools and exploit known vulnerabilities (CVE-2023-27532 and CVE-2024-40711).

Interestingly, the attackers often abandoned targets that employed sophisticated security controls, opting instead for softer victims. This strategy underscores the use of AI as a tool to bridge skill gaps and identify easy pickings.

Amazon identified publicly accessible infrastructure managed by the attackers, hosting AI-generated attack plans, victim configurations, and source code for custom tooling. This infrastructure served as the backbone of their “AI-powered assembly line for cybercrime.”

The compromised clusters were detected across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, highlighting the global reach of this campaign.

As Fortinet appliances become increasingly attractive targets for threat actors, Amazon urges organizations to take immediate action:

• Ensure management interfaces are not exposed to the internet.
• Change default and common credentials.
• Rotate SSL-VPN user credentials.
• Implement multi-factor authentication for administrative and VPN access.
• Audit for unauthorized administrative accounts or connections.
• Isolate backup servers from general network access.
• Keep all software programs up-to-date.
• Monitor for unintended network exposure.

Moses warned that as AI-augmented threat activity continues to grow in 2026, organizations must prioritize strong defensive fundamentals, including patch management, credential hygiene, network segmentation, and robust detection for post-exploitation indicators.

This campaign serves as a stark reminder that the democratization of AI tools is lowering the barrier to entry for cybercrime, enabling even technically challenged actors to execute large-scale attacks. As the threat landscape evolves, staying ahead of these AI-driven threats will require vigilance, innovation, and a commitment to cybersecurity best practices.

Tags: AI-powered cybercrime, FortiGate breach, Russian hackers, generative AI, cybersecurity threats, ransomware, Active Directory compromise, network infiltration, threat intelligence, Amazon Web Services, DCSync attacks, Veeam vulnerabilities, multi-factor authentication, patch management, credential hygiene.

Viral Sentences:

• “AI turns unskilled hackers into cyber giants—600+ FortiGate devices compromised!”
• “The future of cybercrime: AI-powered assembly lines for global attacks.”
• “Russian-speaking threat actor uses AI to bypass technical limitations and strike 55 countries.”
• “Exposed FortiGate devices and weak credentials: the perfect storm for AI-driven breaches.”
• “Generative AI is the new weapon of choice for financially motivated cybercriminals.”
• “Amazon uncovers AI-augmented threat actor achieving unprecedented scale in cybercrime.”
• “Fortinet appliances under siege: AI tools lower the barrier to entry for hackers worldwide.”
• “From reconnaissance to ransomware: how AI is reshaping the cyber threat landscape.”
• “Don’t let AI-powered hackers exploit your network—patch, protect, and monitor now!”
• “The rise of AI-driven cybercrime: a wake-up call for global cybersecurity defenses.”

,