A recent surge in cyberattacks has underscored a new reality in the threat landscape: the democratization of high-scale offensive operations through commercial generative AI. Between January 11 and February 18, 2026, a Russian-speaking, financially motivated threat actor successfully compromised over 600 Fortinet FortiGate firewall devices across more than 55 countries.

The campaign, detailed by Amazon Threat Intelligence (AWS), is notable not for its technical novelty, but for its high level of efficiency and automation.

---

The Role of Generative AI: Lowering the Barrier to Entry

Unlike traditional Advanced Persistent Threats (APTs) that rely on proprietary zero-day exploits, this actor utilized off-the-shelf generative AI services to bridge the gap in technical expertise. AI was integrated into three critical phases:

• Automated Tooling: Generating complex attack plans and scripts at a scale previously reserved for well-funded groups.
• Rapid Development: Leveraging AI to write and debug reconnaissance and automation scripts in languages such as Python and Go.
• Tactical Pivoting: Using multiple AI models to analyze data and adjust tactics in real-time throughout the attack lifecycle.

Key Takeaway: The use of AI effectively lowered the technical “barrier to entry,” allowing a relatively low-skill operator to orchestrate a global, high-impact offensive.

---

Attack Methodology

The attacker followed a disciplined, high-volume workflow that prioritized “low-hanging fruit” over complex penetration.

1. Mass Scanning and Initial Access

The actor targeted FortiGate management interfaces (specifically ports 443 and 8443) exposed to the public internet. Access was primarily gained through:

• Weak or reused credentials.
• Lack of Multi-Factor Authentication (MFA).

2. Credential and Configuration Theft

Once inside the firewall, the attacker extracted configuration files. These files provided a treasure trove of administrative credentials, VPN logins, and internal network topology data.

3. Lateral Movement and Ransomware Staging

With internal credentials in hand, the actor moved deeper into the victim networks:

• Active Directory Compromise: Executing DCSync attacks to gain domain-level control.
• Credential Harvesting: Utilizing NTLM password hashes for pass-the-hash and pass-the-ticket maneuvers.
• Backup Targeting: Specifically seeking out Veeam Backup & Replication systems—a classic precursor to a ransomware deployment.

4. Target Selection

Notably, the actor demonstrated a “path of least resistance” philosophy. They frequently abandoned hardened targets that were properly patched or protected by robust security controls, opting instead to move on to easier, less-protected victims.

Defensive Recommendations

The success of this campaign relied heavily on basic security lapses and human error rather than sophisticated exploits. To mitigate these risks, organizations should prioritize a layered defense strategy:

Technical Controls

• Enforce MFA: Ensure all management interfaces and VPNs require multi-factor authentication.
• Restrict Exposure: Limit access to firewall management ports (e.g., 443, 8443) to specific, authorized IP addresses or internal jump servers.
• Audit Credentials: Regularly rotate administrative passwords and audit for reused credentials across the environment.
• Hardening: Follow vendor-specific hardening guides; as this actor proved, simply being “harder to hack” than the average target is often an effective deterrent.

The Human Element: Security Awareness Training

Because the attacker focused on credential abuse and weak passwords, a robust security culture is the first line of defense. Organizations should implement training that covers:

• Password Hygiene: Educating staff on the dangers of password reuse and the necessity of using complex, unique passphrases.
• MFA Best Practices: Training users to recognize “MFA Fatigue” attacks and ensuring they never approve an authentication request they didn’t personally trigger.
• Social Engineering Awareness: Helping employees identify the reconnaissance tactics (often AI-generated) used to harvest credentials before an infrastructure breach occurs.
• Incident Reporting: Encouraging a “see something, say something” culture where users feel empowered to report suspicious login notifications immediately.