A major cybersecurity breach has been uncovered, involving the compromise of over 600 FortiGate devices across more than 55 countries. This breach, which occurred between January 11 and February 18, 2026, was orchestrated by a financially motivated threat actor leveraging commercial AI services. This incident highlights the growing role of AI in facilitating cybercrime, enabling attackers with minimal skills to execute large-scale operations that previously required significant expertise.
AI Lowers Cyberattack Barriers
The attackers gained initial access by exploiting credential weaknesses in FortiGate management interfaces exposed to the internet. Notably, no zero-day vulnerabilities were utilized, indicating that the threat actor’s approach relied on systematic scanning for weak or reused credentials across specific ports. This strategy underscores how AI is simplifying cyberattacks, allowing individuals with limited technical skills to operate effectively.
Configuration files from compromised FortiGate devices, containing sensitive data such as SSL-VPN user credentials and network topology, were targeted. These files were decrypted and organized using AI-assisted Python scripts, enabling efficient credential harvesting on a large scale.
Targeting and Regional Impact
The attack was characterized by opportunistic targeting rather than focusing on specific sectors, facilitated by automated mass scanning techniques. However, patterns of compromise were observed at the organizational level, particularly among clusters of devices managed by service providers. Affected regions included South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia.
Amazon Threat Intelligence reported the use of at least two distinct AI large language models throughout the operation. These models were integral in both planning attacks and executing lateral movements within compromised networks, with AI being described as the operational backbone of the cybercriminal activity.
Methodologies and Defensive Measures
The post-exploitation phase involved deploying Meterpreter with Mimikatz to conduct DCSync attacks, extracting NTLM credential databases from Active Directory environments. Attackers utilized techniques such as pass-the-hash and pass-the-ticket for lateral movement, with a focus on compromising backup infrastructure to thwart recovery efforts.
Despite the breach’s scale, limitations were noted in the attackers’ skill set, as they often failed against robust defenses. Their reliance on AI-enhanced efficiency rather than technical prowess was evident, with operational notes indicating abandonment of targets with strong security measures.
To mitigate such threats, organizations using FortiGate devices are advised to remove internet exposure of management interfaces, enforce multi-factor authentication, regularly rotate credentials, and monitor for anomalous activities such as unexpected VPN authentications and unauthorized PowerShell module loading.
Indicators of compromise (IOCs) have been shared with industry partners to aid in countering the ongoing threat, underscoring the importance of collaboration in cybersecurity defense.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X, and reach out to share your cybersecurity stories.
