The integration of Artificial Intelligence into offensive cybersecurity operations has moved from theoretical warning to operational reality. New intelligence from Amazon Threat Intelligence has uncovered a disturbing trend: a Russian-speaking, financially motivated threat actor successfully compromised over 600 FortiGate devices in 55 countries by leveraging commercial generative AI services.
This campaign, active between January 11 and February 18, 2026, highlights a critical inflection point in the threat landscape. The actor did not rely solely on traditional exploits but utilized AI to optimize and automate their attack methodology, likely bypassing standard signature-based defenses.
The AI-Assisted Attack Vector
While the specific technical details of the AI implementation are often guarded, the implications are clear. Generative AI allows threat actors to rapidly generate polymorphic code, craft highly convincing phishing lures, and write custom scripts designed to evade web application firewalls (WAF) and intrusion prevention systems (IPS).
In this specific incident, the targeting of FortiGate devices—critical perimeter security appliances—suggests the actor used AI to discover subtle misconfigurations or generate scripts to brute-force administrative interfaces with a success rate higher than typical automated tools.
Why FortiGate?
FortiGate devices are the gatekeepers of network traffic. If compromised, an attacker gains a privileged position to intercept, modify, or redirect traffic. The fact that over 600 devices were affected indicates that the attack was not targeted at a single organization but was part of a widespread, opportunistic campaign likely exploiting weak credentials or unpatched configurations, amplified by AI-driven efficiency.
Technical Analysis and TTPs
The use of AI in this campaign suggests a shift in Tactics, Techniques, and Procedures (TTPs). We assess with high confidence that the actor utilized Large Language Models (LLMs) to:
- Obfuscate Attack Traffic: Generating unique payload variations for every attempt to bypass hash-based detection.
- Automate Reconnaissance: Quickly parsing public-facing data to identify vulnerable endpoints.
- Evade Detection: Analyzing common detection rules to generate exploits that explicitly avoid triggering them.
This activity underscores a vital reality: "No exploitation of FortiGate" does not mean "No compromise." If the actor used valid credentials obtained via AI-enhanced credential stuffing or social engineering, traditional vulnerability scanners would show the device as "secure," even while it is fully owned by the attacker.
Detection and Threat Hunting
Defending against AI-assisted threats requires a shift from reactive signature matching to behavioral anomaly detection. Security teams must hunt for patterns that indicate automated logic or administrative access from anomalous locations.
Hunt for Administrative Anomalies
You should immediately query your logs for administrative logins that do not match your baseline behavior. The following KQL query for Microsoft Sentinel can help identify successful admin logins from new or unusual geo-locations:
let AdminLogins = Syslog
| where ProcessName contains "fortigate" or Facility contains "local"
| where SyslogMessage has "login successful" or SyslogMessage has "admin"
| parse SyslogMessage with * "user=" User " " * "srcip=" SourceIP " " *
| project TimeGenerated, User, SourceIP, SyslogMessage;
let KnownAdminIPs = AdminLogins
| summarize by SourceIP, User
| summarize Count=count() by SourceIP
| where Count > 5 // Establish baseline frequency
| project SourceIP;
AdminLogins
| where SourceIP !in (KnownAdminIPs)
| project TimeGenerated, User, SourceIP, SyslogMessage
| sort by TimeGenerated desc
Audit FortiOS Configuration
On the devices themselves, run the following bash commands to ensure no unauthorized administrator accounts or SSH keys have been added:
# Check for recent config changes
grep -E "^set time" /sys/config/file 2>/dev/null || echo "Access restricted."
# List all admin accounts (requires CLI access)
cmdb -f show system admin | grep -A 5 "name"
Additionally, use this Python snippet to analyze exported logs for high-frequency login failures (brute-force indicators):
import re
from collections import Counter
# Simulated log parsing function
def analyze_failed_logins(log_file_path):
failed_ips = []
ip_pattern = re.compile(r'srcip=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})')
try:
with open(log_file_path, 'r') as f:
for line in f:
if 'login failed' in line.lower():
match = ip_pattern.search(line)
if match:
failed_ips.append(match.group(1))
# Count occurrences
ip_counts = Counter(failed_ips)
# Flag IPs with more than 10 failed attempts
suspicious_ips = {ip: count for ip, count in ip_counts.items() if count > 10}
return suspicious_ips
except FileNotFoundError:
return "File not found. Check path."
# Example usage
# print(analyze_failed_logins('fortigate_logs.txt'))
Mitigation Strategies
To protect your perimeter against AI-augmented threats, basic hygiene is no longer sufficient. You must implement identity-centric security controls:
- Disable WAN Administration: If you must manage FortiGate devices remotely, ensure it is strictly limited to specific IP addresses via Local-in Policies. Never allow management access from the entire internet.
- Enforce Multi-Factor Authentication (MFA): This is non-negotiable. AI can guess passwords, but it cannot easily guess a time-based token pushed to a mobile device.
- Implement Geo-Blocking: If your organization does not conduct business in specific regions (e.g., Eastern Europe or parts of Asia where this actor operates), block those IP ranges at the firewall interface.
- Review Local Accounts: Audit all local admin accounts on FortiGate devices regularly. Remove any unused accounts and ensure the default 'admin' account is renamed or disabled.
The compromise of 600 devices is a warning shot. As AI tools become more accessible, the barrier to entry for sophisticated attacks lowers. Security teams must leverage their own AI-driven detection platforms—like those offered in our SOC services—to match the speed and agility of these modern adversaries.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.