Russian-Speaking Threat Actor Exploits AI to Compromise FortiGate Devices Worldwide
An investigation by Amazon Threat Intelligence has revealed that a financially motivated threat actor, fluent in Russian, has leveraged commercial generative artificial intelligence (AI) services to compromise more than 600 FortiGate devices in 55 countries.
Between January 11 and February 18, 2026, the threat actor exploited exposed management ports and weak credentials with single-factor authentication, bypassing FortiGate vulnerabilities. This highlights the critical security gaps that AI enabled the actor to exploit on a large scale.
The threat actor, characterized by limited technical expertise, harnessed multiple commercial AI tools throughout the attack cycle, including tool development, planning, and command execution. While one AI tool acted as the primary backbone, a second tool served as a fallback for network pivoting.
Driven by financial gain rather than state-sponsored resources, the threat actor’s utilization of generative AI tools underscores the growing trend of AI adoption among cybercriminals to streamline and amplify their operations.
Amazon’s analysis suggests that the threat actor successfully compromised Active Directory environments, extracted credential databases, and targeted backup infrastructure for potential ransomware deployment.
Despite the availability of sophisticated security controls, the threat actor opted to target organizations with weaker defenses, bridging their skill gap through AI augmentation for easier infiltration.
Publicly accessible infrastructure managed by the threat actor hosted AI-generated attack plans, victim configurations, and custom tooling source code, resembling an “AI-powered assembly line for cybercrime.”
The breach of FortiGate appliances enabled the threat actor to extract device configurations, credentials, and network information, leading to sector-agnostic mass scanning for vulnerable devices.
Following systematic scanning of FortiGate management interfaces, the threat actor conducted post-exploitation activities, including reconnaissance, Active Directory compromise, credential harvesting, and targeting backup infrastructure.
Organizational-level compromises were detected across various regions, including South Asia, Latin America, and Northern Europe, as the threat actor advanced through network layers.
Utilizing custom reconnaissance tools written in Go and Python, the threat actor pursued domain compromise, lateral movement, and exploitation of Veeam Backup & Replication servers.
Despite encountering obstacles in exploiting complex attack paths, the threat actor persisted in targeting vulnerable services and maintaining access to compromised networks.
With the increasing attractiveness of Fortinet appliances to threat actors, organizations are advised to secure management interfaces, update credentials, implement multi-factor authentication, and enhance network security measures.
As AI-augmented threat activity continues to evolve, organizations must prioritize patch management, credential hygiene, network segmentation, and detection of post-exploitation indicators to bolster their defenses against cyber threats.
