Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls

Staff Editor 2026-02-23
Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls

Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls

https://www.infosecurity-magazine.com/news/russian-threat-actor-genai/

Publish Date: 2026-02-23 07:30:00

Source Domain: www.infosecurity-magazine.com

A low-skilled cyber threat actor has been observed leveraging several generative AI (GenAI) tools to deploy a malicious campaign aimed at compromising Fortinet’s FortiGate firewall appliances.

In an Amazon Web Services (AWS) Security blog published on February 20, CJ Moses, CISO of Amazon Integrated Security, shared findings about the campaign.

Amazon Threat Intelligence assessed that the attacker was a Russian-speaking, financially motivated threat actor with limited technical capabilities.

The threat actor used multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operation.

AWS assessed the campaign ran from January 11 to February 18, 2026, and compromised over 600 FortiGate devices across more than 55 countries.

Amazon Threat Intelligence noted that AWS infrastructure was not involved in this campaign and that no exploitation of FortiGate vulnerabilities was observed.

FortiGate Compromise: Attack Workflow Explained

This campaign was deemed opportunistic rather than targeted.

The threat actor scanned FortiGate management interfaces exposed to the internet and tried gaining access to them using commonly reused credentials.

They developed AI-assisted Python scripts to parse, decrypt and organize these stolen configurations.

Once VPN access to victim networks was gained, the threat actor deployed a custom reconnaissance tool, also likely developed with the use of AI services, with different versions written in both Go and Python.

Indicators of AI involvement in this tool included redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization and compatibility shims for language built-ins with empty documentation stubs.

“While functional for the threat actor’s specific use case, the tooling lacks robustness and fails under edge…

Source

More Stories

Frost & Sullivan: AI-driven, Cloud-native SIEM Platforms Will Define the Next Era of Cybersecurity Operations

Staff Editor 2026-06-06
RSU cybersecurity graduate, student leader accepts staff position in Student Affairs | News

RSU cybersecurity graduate, student leader accepts staff position in Student Affairs | News

Staff Editor 2026-06-06
Canada parliament passes cybersecurity bill amid privacy concerns – JURIST

Canada parliament passes cybersecurity bill amid privacy concerns – JURIST

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy