A financially motivated, Russian-speaking threat actor has leveraged commercial generative artificial intelligence services to compromise more than 600 FortiGate network security devices across 55 countries. The activity was observed by Amazon Threat Intelligence between January 11 and February 18, 2026, highlighting a significant escalation in the sophistication of cyberattacks.
Scope and Method of the Attack
The campaign targeted Fortinet FortiGate firewalls and virtual private network appliances. The threat actor used generative AI tools to automate and refine the process of identifying vulnerabilities and crafting malicious scripts. This approach allowed for the rapid, large-scale exploitation of security appliances that were not properly updated.
Amazon Threat Intelligence did not specify the exact vulnerabilities exploited but confirmed that the actor focused on known security flaws for which patches had been available. The compromised devices were located in a wide range of nations, indicating a global targeting strategy rather than a region-specific one.
Implications of AI in Cyber Operations
This incident marks a notable public case of threat actors using commercially available generative AI for offensive cyber operations. The technology was used to enhance the efficiency and scale of the attack, automating tasks that traditionally required significant manual effort from skilled hackers.
Security analysts note that the use of AI lowers the barrier to entry for conducting sophisticated attacks. It enables less experienced actors to generate convincing phishing lures, debug exploit code, and analyze compromised systems more effectively. The financial motivation behind this campaign suggests the end goal was likely data theft, credential harvesting, or the establishment of infrastructure for further crimes.
Response and Mitigation
Fortinet has been notified of the findings. The company routinely advises all customers to implement immediate patching for known vulnerabilities and to follow hardening guidelines for their devices. Network security appliances like firewalls are high-value targets because they sit at the perimeter of a network, and a compromise can provide deep access to internal systems.
Amazon Threat Intelligence has shared relevant indicators of compromise with security partners and relevant national computer emergency response teams. Organizations worldwide are urged to review their FortiGate device logs for suspicious activity, particularly from the noted timeframe, and ensure all firmware is updated to the latest secure version.
Looking Ahead
The successful use of generative AI in this campaign is expected to inspire similar tactics from other threat groups. Security firms and government agencies are likely to increase their monitoring of AI service abuses and develop new frameworks for detecting AI-assisted attacks. Further technical details regarding the specific tactics and infrastructure used in this campaign are anticipated to be released by researchers in the coming weeks.
Source: Amazon Threat Intelligence
