AI-augmented threat actor accesses FortiGate devices at scale
AI-augmented threat actor accesses FortiGate devices at scale
AI-augmented threat actor accesses FortiGate devices at scale | Amazon Web Services
A Russian-speaking cybercrime group compromised over 600 FortiGate devices across 55 countries between January 11-February 18, 2026, using commercial AI services to automate and scale their attacks[1]. Rather than exploiting vulnerabilities, the group targeted exposed management ports and weak credentials, using AI tools like DeepSeek and Claude to generate attack plans, develop tools, and orchestrate operations[6].
The threat actor, despite limited technical skills, leveraged AI to:
- Extract device configurations and credentials
- Compromise Active Directory environments
- Target backup infrastructure
- Generate comprehensive attack methodologies
- Develop custom reconnaissance tools
"This campaign succeeded through a combination of exposed management interfaces, weak credentials, and single-factor authentication—all fundamental security gaps that AI helped an unsophisticated actor exploit at scale," said CJ Moses, Amazon's CISO[^1].
When encountering hardened security measures, the group simply moved to easier targets rather than attempting sophisticated exploitation, demonstrating their reliance on AI-augmented efficiency rather than technical expertise[^1].
[^1]: Amazon Web Services - AI-augmented threat actor accesses FortiGate devices at scale
[^6]: The Hacker News - AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries