AISEC > Security News > Russian Threat Actor Compromises 600+ FortiGate Devices Across 55 Countries
February 21, 2026 #vulnerability Source: The Hacker News 2 min read · 544 words

AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries

Зловмисник з ШІ-підтримкою скомпрометував 600+ пристроїв FortiGate у 55 країнах

Timeline: The Six-Week Assault

January 2026. That's when it started. A Russian-speaking threat actor began systematically targeting FortiGate devices—the firewalls that protect networks for banks, government agencies, and enterprises worldwide. By February, the damage was already done. Over 600 devices across 55 countries had been compromised. Fifty-five countries. Let that number settle in.

What makes this particularly nasty is how it happened. The attacker didn't just find a vulnerability and hope for the best. They weaponized commercial AI services to scale their assault, automating reconnaissance and exploitation across a staggering geographic footprint. This wasn't a scattered, opportunistic campaign. This was industrial-grade infrastructure targeting.

The Discovery

The Hacker News first reported the incident, citing telemetry from security researchers who'd been monitoring suspicious activity across affected regions. The discovery came through network anomalies—unusual command-and-control traffic, unexpected administrative access, persistence mechanisms that suggested someone had set up shop inside these devices for the long term.

Researchers noticed something else too. The infrastructure suggested this wasn't the work of a lone actor dabbling in cybercrime. The sophistication implied organizational backing. The geographic distribution implied targeting intent. And the use of AI tools? That indicated someone with resources willing to invest in scaling their operation.

Technical Analysis

Here's what actually happened under the hood. The attacker identified vulnerable FortiGate instances—likely using commercial AI scanning tools to identify exposure. These devices, scattered across countries with varying cybersecurity ranking and risk profiles, weren't all running the latest patches. Some organizations in countries ranked higher by vulnerability to cyber attacks had weaker inventory controls. Others simply hadn't prioritized firmware updates.

Once inside, the threat actor established persistence. Web shells. Backdoor accounts. Credential theft mechanisms.

The real question is: how much reconnaissance data did they collect? FortiGate devices don't just protect networks—they sit at the chokepoint between internal infrastructure and the internet. They see everything. Traffic patterns. IP addresses. VPN credentials. Security configurations. For an attacker with access to 600 of these devices across 55 countries, the intelligence haul is staggering.

And the use of AI in orchestrating this? That's the part that should worry security teams everywhere. Traditional attacks require attackers to manually identify targets, probe for vulnerabilities, and exploit them. AI services compress that timeline significantly. They identify patterns humans might miss. They scale operations that would otherwise require armies of attackers.

Damage Assessment

Quantifying the damage is difficult because not all affected organizations have disclosed breaches publicly.

But consider the scope. Fifty-five countries. Multiple critical sectors likely represented. Organizations in countries where cybersecurity resources are limited, where cyber attacks originate from state-sponsored operations, where vulnerability to climate change (and thus economic stress) correlates with weaker IT budgets—these organizations were hit hard.

The compromised devices gave attackers direct access to corporate networks, customer data, and potentially classified government information. Some victims are still discovering what was stolen.

Mitigation

Immediate steps: If you're running FortiGate, check your firmware version against the latest security advisories. Apply patches immediately. Check firewall logs for suspicious administrative access, particularly from unfamiliar IP addresses. Look for web shell artifacts in your configuration directories.

Longer term: Assume compromise. Rotate credentials. Segment your network so a firewall breach doesn't automatically grant access to your crown jewels. Deploy network detection and response tools. Monitor command-and-control destinations in your threat intelligence feeds.

And frankly, organizations need to treat AI-assisted attacks as the baseline threat model now, not the exception.

Read original article →

// RELATED

#vulnerability CISA: Recently patched RoundCube flaws now exploited in attacks 2026-02-23 #vulnerability Hundreds of FortiGate Firewalls Hacked in AI-Powered Attacks: AWS 2026-02-23 #vulnerability Recent RoundCube Webmail Vulnerability Exploited in Attacks 2026-02-23

Concerned about your project's security? Run an automated pentest with AISEC — AI-powered scanner with expert verification. Go to dashboard →