Cybercriminals Exploit AI to Breach Over 600 FortiGate Devices Globally
In a recent and alarming development, a financially motivated cybercriminal group has successfully compromised more than 600 FortiGate devices across 55 countries between January 11 and February 18, 2026. This campaign underscores the evolving landscape of cyber threats, where artificial intelligence (AI) is increasingly leveraged to enhance the scale and efficiency of attacks.
Exploitation of AI in Cyber Attacks
The attackers utilized various commercial generative AI services to orchestrate and execute their operations. This strategic use of AI has significantly lowered the technical barriers to conducting large-scale cyber attacks, enabling individuals or small groups with moderate technical skills to perform operations that previously required extensive expertise and resources.
Methodology of the Attack
The initial phase of the attack focused on exploiting weak or reused credentials associated with FortiGate management interfaces exposed to the internet. The attackers conducted systematic scans across multiple ports, including 443, 8443, 10443, and 4443, to identify vulnerable appliances. Notably, the campaign did not involve zero-day vulnerabilities or novel exploitation techniques; instead, it relied entirely on credential-based exploitation.
Once access was gained, the attackers extracted configuration files from the compromised FortiGate devices. These files contained sensitive information such as SSL-VPN user credentials, administrative credentials, network topology data, IPsec VPN peer configurations, and firewall policies. The extracted data was then processed and organized using AI-assisted Python scripts, facilitating efficient large-scale credential harvesting.
Global Impact and Targeting
The targeting strategy appeared opportunistic, with no specific focus on particular sectors. However, patterns emerged indicating organizational-level compromises, especially among managed service providers. Regions with significant concentrations of compromised devices included South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia.
AI as an Operational Tool
The attackers’ reliance on AI was evident throughout the operation. They utilized at least two distinct commercial large language model (LLM) providers: one for tool development and attack planning, and another as an assistant for navigating within compromised networks. In one instance, the attackers inputted a complete victim network topology, including IP addresses, hostnames, active credentials, and identified services, into an AI service to receive step-by-step guidance for lateral movement.
Post-Exploitation Activities
Following initial access, the attackers deployed Meterpreter with the Mimikatz module to perform DCSync attacks against domain controllers, successfully extracting complete NTLM credential databases from multiple Active Directory environments. Lateral movement was achieved through techniques such as pass-the-hash, pass-the-ticket, and NTLM relay attacks. Backup infrastructure, particularly Veeam Backup & Replication servers, was specifically targeted to disrupt recovery capabilities ahead of potential ransomware deployment.
Limitations and Observations
Despite the extensive use of AI and the scale of the operation, the attackers exhibited consistent skill limitations. They often failed against well-defended environments and tended to abandon targets with effective defenses rather than persist. This pattern suggests that their advantage lies in AI-augmented efficiency and volume, rather than in-depth technical prowess.
Recommendations for Organizations
In light of this sophisticated campaign, organizations are urged to take the following actions to enhance their cybersecurity posture:
1. Implement Multi-Factor Authentication (MFA): Strengthen authentication mechanisms to prevent unauthorized access, especially for management interfaces.
2. Regularly Update and Patch Systems: Ensure that all devices, especially those exposed to the internet, are updated with the latest security patches to mitigate known vulnerabilities.
3. Conduct Regular Security Audits: Perform comprehensive audits to identify and remediate potential security gaps within the network infrastructure.
4. Monitor for Anomalous Activities: Establish continuous monitoring systems to detect unusual patterns that may indicate a security breach.
5. Educate and Train Staff: Provide ongoing cybersecurity training to employees to recognize and respond to potential threats effectively.
Conclusion
The exploitation of AI in this campaign highlights a significant shift in the cyber threat landscape. As AI technologies become more accessible, the potential for their misuse in cyber attacks increases. Organizations must proactively adapt their security strategies to address these emerging challenges and safeguard their digital assets against increasingly sophisticated adversaries.
