Feb 24, 2026 15:00:00

Russian-speaking hackers exploiting generative AI to compromise over 600 FortiGate devices in 55 countries

On February 20, 2026, Amazon Threat Intelligence, Amazon's security team, reported that Russian-speaking hackers had exploited multiple commercially available AI services to compromise over 600 devices equipped with the

FortiGate network firewall. This case suggests that the misuse of AI is enabling cyberattacks that previously required large, skilled teams to be carried out by teams with relatively little experience.

AI-augmented threat actor accesses FortiGate devices at scale | AWS Security Blog
https://aws.amazon.com/jp/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/

Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/

During routine threat intelligence activities, Amazon Threat Intelligence discovered a server hosting malicious tools targeting FortiGate firewalls. The threat actor had placed additional operational files on the same publicly exposed infrastructure, providing visibility into their attack methods and the specific use of AI throughout their operations.

The threat actors first systematically scanned for publicly exposed FortiGate management interfaces and compromised the devices using reused credentials, although no exploitation of FortiGate vulnerabilities was observed in these compromises.

The attacks were not targeted at any particular industry, but rather appeared to be ad hoc, targeting any FortiGate firewall. The attacks, which ran from January 11 to February 18, 2026, compromised over 600 devices across 55 countries, including South Asia, Southeast Asia, Latin America, the Caribbean, Northern Europe, and West Africa.

After successfully compromising the device, the threat actor extracted information from FortiGate configuration files, including SSL-VPN user credentials with recoverable passwords, administrator credentials, firewall policies and internal network architecture, IPsec VPN configuration, and network topology and routing information. These configuration files were then analyzed and decrypted using Python and Go tools created with the assistance of generative AI.

After establishing VPN access to victim networks, the threat actors deployed a custom reconnaissance tool written in Python and Go that automates the following workflows: ingesting target networks from VPN routing tables, classifying networks by size, performing service discovery using the open-source port scanner gogo, automatically identifying SMB hosts and domain controllers, and creating a prioritized target list for discovered HTTP services.

The source code contained clear signs of being developed using generative AI, including redundant comments that merely rephrase function names, a simplistic architecture that places excessive emphasis on formatting rather than functionality, simple JSON parsing with string matching rather than proper deserialization , and a built-in compatibility shim containing empty documents.

Amazon Threat Intelligence points out that the custom reconnaissance tools 'work for certain threat actor use cases, but the tools lack robustness and do not work in edge cases, which is typical of AI-generated code used without significant refinement.'

Amazon Threat Intelligence believes the threat actors have a low-to-medium skill set, but claims their capabilities were significantly enhanced through the use of generative AI. The wide range of indiscriminate targets and low level of sophistication suggest they are financially motivated, and the extensive operational documentation found in Russian suggests they are composed of Russian-speaking hackers.

To prevent cyberattacks like this, Amazon Threat Intelligence recommended that users 'not expose the FortiGate management interface to the internet,' 'ensure that multi-factor authentication is enabled,' 'ensure that VPN passwords are not the same as Active Directory account passwords,' and 'strengthen their backup infrastructure.'

Security blog Cyber and Ramen also reported additional technical details about the threat actors.

LLMs in the Kill Chain: Inside a Custom MCP Targeting FortiGate Devices Across Continents
https://cyberandramen.net/2026/02/21/llms-in-the-kill-chain-inside-a-custom-mcp-targeting-fortigate-devices-across-continents/

Cyber and Ramen's investigation revealed that the accidentally exposed files contained the output of Claude Code tasks and session diffs, and that a Model Context Protocol (MCP) server named ARXON was used to bridge the gap between the stolen data and large-scale language models. ARXON is likely a custom MCP framework created by the threat actor, and the data ingested into ARXON was used to automate post-breach analysis and attack planning.