AI-Assisted Hackers Compromise 600+ FortiGate Firewalls Across 55 Countries

What It Is

A Russianspeaking, financially motivated threat actor is using commercial generative AI services to assist in compromising FortiGate firewalls. Amazon Threat Intelligence observed activity against more than 600 devices in 55 countries between 11 January and 18 February 2026.

Who's Targeted

The campaign focuses on FortiGate devices, which are widely deployed as firewalls and security gateways in corporate networks worldwide.

How It Works

The attackers start by scanning the Internet for exposed FortiGate management interfaces on typical ports such as 443, 8443 and similar. They then bruteforce weak or reused credentials, often where multi-factor authentication is not enabled. No FortiOS software vulnerability is exploited.

Once access is gained, the threat actor extracts the full device configuration, including stored credentials, internal routing tables and other network details. AIassisted tooling is used to analyse this data and to generate or improve reconnaissance frameworks and custom scripts for internal network analysis. The AI influence is evident in the quality and generation patterns of the code, rather than in the creation of malicious payloads.

Postexploit activity includes compromising Active Directory, probing backup infrastructure and attempting to exploit backup servers and domain controllers, before moving laterally to other internal systems.

How To Protect

• Enforce strong, unique passwords for all FortiGate accounts and disable default credentials.
• Enable multi-factor authentication on every management interface.
• Restrict Internet exposure of management ports; use VPNs or jumphosts instead of direct access.
• Regularly audit device configurations for unnecessary services or open ports.
• Monitor login attempts and set up alerts for bruteforce behaviour.
• Keep firmware and security signatures up to date with the latest vendor releases.
• Segment the network to limit the impact of a compromised firewall.
• Consider AIassisted detection tools that can spot anomalous scanning or credentialdriven activity.
• Engage your security vendor or a qualified security partner for guidance on hardening FortiGate equipment.

Conclusion

This campaign shows that even without exploiting software bugs, attackers can leverage AI to streamline the discovery of weak credentials and to craft sophisticated reconnaissance scripts for internal analysis. The scaleover 600 devices in more than 55 countrieshighlights the importance of strong credential hygiene, proper network segmentation and vigilant monitoring to protect critical firewall infrastructure.