A financially motivated threat actor exploited various commercial generative AI services to compromise over 600 FortiGate devices across more than 55 countries between January 11 and February 18, 2026.
The campaign marks a defining demonstration of how AI is lowering the technical entry barrier to offensive cyber operations, enabling a low- to medium-skilled individual or small group to execute attacks at a scale that previously required a significantly larger, more skilled team. The threat actor’s initial access relied entirely on credential-based exploitation of FortiGate management interfaces exposed to the internet; no zero-day vulnerabilities or novel techniques were involved.
Through systematic scanning across ports 443, 8443, 10443, and 4443, the attacker identified appliances running weak or reused credentials with single-factor authentication.
Extracted FortiGate configuration files proved to be high-value targets, containing SSL-VPN user credentials with recoverable passwords, administrative credentials, complete network topology data, IPsec VPN peer configurations, and firewall policies revealing internal architecture.
These configurations were parsed, decrypted, and organized using AI-assisted Python scripts, enabling efficient large-scale credential harvesting.