AI-augmented threat actor accesses FortiGate devices at scale

A Russian-speaking cybercrime group compromised over 600 FortiGate devices across 55 countries between January 11-February 18, 2026, using commercial AI services to automate and scale their attacks¹. Rather than exploiting vulnerabilities, the group targeted exposed management ports and weak credentials, using AI tools like DeepSeek and Claude to generate attack plans, develop tools, and orchestrate operations².

The threat actor, despite limited technical skills, leveraged AI to: - Extract device configurations and credentials - Compromise Active Directory environments - Target backup infrastructure - Generate comprehensive attack methodologies - Develop custom reconnaissance tools

“This campaign succeeded through a combination of exposed management interfaces, weak credentials, and single-factor authentication—all fundamental security gaps that AI helped an unsophisticated actor exploit at scale,” said CJ Moses, Amazon’s CISO³.

When encountering hardened security measures, the group simply moved to easier targets rather than attempting sophisticated exploitation, demonstrating their reliance on AI-augmented efficiency rather than technical expertise⁴.