AI-augmented threat actor accesses FortiGate devices at scale

Amazon Threat Intelligence observed a financially motivated, Russian-speaking actor using multiple commercial generative AI services to compromise over 600 FortiGate appliances across 55+ countries (Jan 11–Feb 18, 2026) by scanning exposed management ports and abusing weak single-factor credentials; the actor extracted full device configurations and Active Directory credential databases, used AI-generated reconnaissance and post-exploitation tooling, targeted Veeam backup servers, and hosted additional operational files on public infrastructure; recommended defenses include removing internet-exposed management interfaces, enforcing MFA, rotating credentials, patching backup systems, and monitoring for anomalous AD replication and VPN activity.