AI-Assisted Hacker Breaches 600 Fortinet FortiGate Firewalls Across 55 Countries

What happened

Amazon warned that a Russian-speaking threat actor breached more than 600 Fortinet FortiGate firewalls across 55 countries between January 11 and February 18, 2026, using brute-force attacks against exposed management interfaces and weak credentials rather than exploiting software vulnerabilities. The campaign targeted internet-accessible management ports and extracted sensitive configuration data including SSL-VPN credentials, administrative credentials, firewall policies, and network topology information. The attacker used generative AI services to develop custom tools, automate reconnaissance, analyze network environments, and generate attack plans to expand access within compromised networks. The campaign also targeted backup systems such as Veeam Backup & Replication, and stolen configuration data, credentials, and attack planning materials were found on exposed attacker infrastructure containing over 1,400 files. 

Who is affected

Organizations operating internet-exposed Fortinet FortiGate firewalls without multi-factor authentication or strong credential protection were directly affected, with compromised devices identified across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. 

Why CISOs should care

The incident shows how attackers used generative AI tools to automate reconnaissance, credential extraction, and lateral movement, enabling a low-to-medium skill threat actor to conduct large-scale firewall compromises across global enterprise infrastructure. 

3 practical actions

• Secure firewall management interfaces. Restrict internet exposure of Fortinet FortiGate administrative access points. 
• Enforce multi-factor authentication on VPN and admin accounts. Prevent brute-force access using weak credentials. 
• Protect and audit backup infrastructure. Monitor systems such as Veeam Backup & Replication for credential extraction attempts.