AI-Assisted Mass Network Infrastructure Exploitation: The 600+ FortiGate Campaign

Key Takeaways

Between January 11 and February 18, 2026, a threat actor assessed as Russian-speaking and financially motivated compromised more than 600 Fortinet FortiGate appliances across at least 55 countries [1]. The attacker did not rely on zero-day vulnerabilities. Instead, they combined commercial generative AI services—DeepSeek and Anthropic Claude—with a custom AI orchestration framework to systematically abuse internet-exposed management interfaces and weak, single-factor credentials at a scale that analysts assess would have required a substantially larger or more technically skilled team to achieve without AI augmentation [1][2]. Concurrently, independent researchers identified that open-source offensive AI platform CyberStrikeAI—developed by a Chinese researcher with alleged ties to China’s Ministry of State Security—was operating from 21 unique IP addresses across the same period and attributed to a separate but overlapping wave of FortiGate targeting [3]. Together, these two threads suggest a meaningful shift in attacker capability economics: AI is not merely a novelty in offensive operations; it is actively lowering the technical barrier to mass network infrastructure compromise.

Background

The Threat Actor and Campaign Timeline

Amazon Threat Intelligence documented the primary campaign as active from January 11 to February 18, 2026, with reconnaissance activity traced to a single originating IP address, 212.11.64[.]250 [1]. Investigators assessing this infrastructure found it hosted over 1,400 files across 139 subdirectories, including CVE exploit code, harvested FortiGate configurations, Nuclei scanning templates, Veeam credential extraction tooling, BloodHound Active Directory collection artifacts, and files that Amazon characterized as AI-generated attack plans based on their structure and content patterns [1][2]. A prior exposure of the same server in December 2025 had revealed an earlier instance hosting HexStrike AI, an open-source Model Context Protocol (MCP) framework built to allow large language models to control penetration-testing tools such as Impacket and Metasploit autonomously [2][4]. By January 2026, the actor had replaced HexStrike with custom components—ARXON and CHECKER2—indicating a deliberate evolution from semi-manual AI-assisted testing toward a fully automated exploitation pipeline [4].

The actor is assessed as financially motivated and of limited independent technical capability. Critically, Amazon’s analysis noted a pattern of the attacker “repeatedly running into failures when attempting exploitation beyond straightforward, automated attack paths,” abandoning hardened targets in favor of softer victims [1]. This behavioral pattern supports the assessment that AI augmentation expanded the actor’s operational reach without meaningfully advancing their underlying technical capabilities.

The Vulnerability Landscape

The campaign’s success rested primarily on common security hygiene failures—particularly internet-exposed management interfaces and single-factor authentication—rather than novel vulnerability exploitation. FortiGate management interfaces were scanned across ports 443, 8443, 10443, and 4443, and initial access was obtained by authenticating with commonly reused credentials against single-factor authentication systems [1][2]. This approach was effective because large numbers of organizations continue to expose FortiGate management planes directly to the internet.

Two critical authentication bypass vulnerabilities provided a parallel, complementary exploitation pathway for the broader campaign ecosystem. CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb respectively, allow unauthenticated remote attackers to bypass authentication by crafting a malicious SAML message, ultimately gaining administrative access [5][6]. CVE-2025-59718 was confirmed added to CISA’s Known Exploited Vulnerabilities catalog on December 16, 2025, following initial observations of active exploitation attempts [5]; CVE-2025-59719 was added to the KEV catalog around the same period [5]. Observed post-compromise behavior in these cases showed threat actors immediately downloading the system configuration file, which frequently contains hashed credentials [5].

A third vulnerability, CVE-2026-24858, an unauthenticated cloud SSO authentication bypass affecting FortiOS, FortiProxy, FortiAnalyzer, and FortiManager, was exploited as a zero-day beginning approximately January 20, 2026. Fortinet applied a cloud-side mitigation on January 26, 2026 by temporarily disabling FortiCloud SSO authentication, restoring the service with protective changes on January 27, 2026 [5]. Notably, FortiCloud SSO is disabled by default but automatically enables upon FortiCare registration via the GUI, expanding the exposure surface for any organization that has registered a device with FortiCare via the GUI without subsequently auditing SSO settings [5].

Security Analysis

AI as an Operational Force Multiplier

The distinguishing characteristic of this campaign is not the sophistication of any individual attack technique—credential stuffing, configuration exfiltration, and Active Directory compromise are well-documented tactics—but rather the role of commercial AI in orchestrating those techniques at a scale previously inaccessible to low-capability actors. The threat actor integrated DeepSeek to generate attack plans from reconnaissance data and Anthropic Claude to produce vulnerability assessments and execute offensive tools against victim systems [1][2]. ARXON, a custom MCP server, bridged these language model services into a persistent, growing knowledge base that maintained operational context across the campaign’s multi-week duration [1]. CHECKER2, a Go-based orchestrator, parallelized VPN scanning and target processing, enabling simultaneous operations across geographically dispersed infrastructure [1].

The code quality of these custom tools is itself informative. Amazon’s analysis described the attacker’s reconnaissance scripts as containing “redundant comments merely restating function names” and “naive JSON parsing via string matching,” characteristic of AI-generated code rather than output from an experienced developer [1]. This observation reinforces the assessment that the operator’s technical skills were modest; the AI pipeline’s value was in automating the repetitive, scalable components of the kill chain rather than in advancing the attacker’s understanding of the underlying systems.

The CyberStrikeAI Platform

Running in parallel with the Russian-speaking actor’s campaign, CyberStrikeAI emerged as a second significant development in AI-native offensive tooling. Developed in Go by a researcher using the alias Ed1s0nZ on GitHub and described as an open-source penetration testing framework integrating over 100 security utilities, the platform natively incorporates both Anthropic Claude and DeepSeek for automated scanning and exploitation workflow orchestration [3]. According to reporting by The Hacker News, researchers assess the developer may have ties to the Chinese government based on interactions with Knownsec 404; that firm has been characterized by some security researchers as having connections to the Ministry of State Security, though this attribution has not been independently verified from primary sources [3]. Between January 20 and February 26, 2026, 21 unique IP addresses were identified running CyberStrikeAI, primarily hosted in China and Singapore, with additional servers in the United States, Hong Kong, Japan, and Switzerland [3]. The developer also created companion tools specifically designed to jailbreak AI safety controls, indicating deliberate effort to remove model-imposed restrictions on offensive capability generation [3].

The emergence of these two platforms within the same campaign window hints at a broader trend: AI integration appears to be moving toward a first-order design requirement in offensive tooling rather than a supplementary add-on. Unlike earlier integrations that used language models primarily as query-response interfaces within existing frameworks, platforms like CyberStrikeAI and ARXON/CHECKER2 appear to position AI orchestration as the primary control layer, with traditional security tools as subordinate components [1][3]. Whether this architectural pattern represents a durable shift or a nascent development warrants continued monitoring.

Post-Exploitation Objectives and Ransomware Staging

Once initial access was established through credential abuse, the actor’s post-exploitation activity followed a pattern consistent with ransomware staging. Full FortiGate device configurations were extracted, providing not only hashed credentials but also network topology data enabling further lateral movement [1]. AI-generated Python scripts were used to parse, decrypt, and organize this stolen configuration data [2]. Active Directory was targeted through DCSync attacks and credential harvesting, with pass-the-hash and NTLM relay techniques deployed for lateral movement and remote command execution [1].

The targeting of backup infrastructure is especially notable because it signals deliberate ransomware pre-positioning: the actor exploited CVE-2023-27532 and CVE-2024-40711 in Veeam Backup and Replication servers to harvest credentials and establish footholds in the systems most critical to organizational recovery [1]. This sequencing—network device access, credential harvesting, AD compromise, backup infrastructure targeting—aligns closely with the preparatory phases of ransomware deployment. BloodHound collection artifacts on the actor’s exposed server are consistent with systematic AD reconnaissance oriented toward enterprise-wide access, suggesting the actor was preparing for broad lateral movement [1].

The campaign was geographically and sectorally diverse, spanning South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia with no apparent industry preference based on the observed target distribution [1]. This sector-agnostic targeting is consistent with opportunistic financially motivated operations rather than targeted espionage, and suggests the actor was identifying and staging access for later monetization rather than pursuing specific intelligence objectives.

Structural Vulnerability: Management Interface Exposure

A foundational enabler of this campaign was the persistent, widespread practice of exposing FortiGate management interfaces to the internet without compensating controls. The scanning methodology required no vulnerability exploitation at the point of initial access; correctly guessing commonly reused credentials against an internet-accessible administrative interface was sufficient [1][2]. This attack surface is neither new nor obscure—Fortinet and the broader security community have repeatedly recommended against internet-facing management plane exposure—yet the campaign’s success across 600+ devices in 55 countries demonstrates that this guidance remains systematically under-implemented. AI-assisted scanning did not create this vulnerability; it automated the discovery and exploitation process at global scale, converting a latent, widespread exposure into an efficiently harvested attack surface.

Recommendations

Immediate Actions

Organizations operating FortiGate appliances should treat management interface exposure as a critical priority. Management interfaces should be disabled from internet-facing access immediately and restricted to dedicated management networks or secured jump hosts. Where such reconfiguration cannot be completed immediately, firewall rules limiting management plane access by source IP represent a temporary but important compensating control.

Multi-factor authentication must be enforced for all administrative and VPN access. MFA would have neutralized the credential-stuffing attack vector entirely for enrolled accounts, since the campaign’s initial access method depended on single-factor authentication remaining accessible. Parallel to this, organizations should audit credentials across FortiGate devices, VPN configurations, and downstream Active Directory environments for reuse, default values, and known compromised patterns.

Backup infrastructure requires immediate attention independent of the network device exposure question. Veeam instances should be patched against CVE-2023-27532 and CVE-2024-40711 and network-isolated from general enterprise access. The actor’s deliberate targeting of backup systems signals that compromise may already be oriented toward maximizing recovery disruption.

Short-Term Mitigations

Patch prioritization for CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 should proceed urgently. Organizations should confirm whether FortiCloud SSO is enabled on their devices—recognizing that FortiCare registration via the GUI silently enables it—and disable or restrict the feature where it is not required [5]. Network detection capabilities should be tuned to identify lateral movement patterns characteristic of DCSync, pass-the-hash, NTLM relay, and BloodHound collection. Given that configurations extracted from compromised devices contain hashed credentials, organizations with any reasonable suspicion of compromise should initiate full Active Directory credential rotation rather than targeted remediation.

Threat hunting activities should review historical authentication logs for anomalous administrative access, particularly from unfamiliar IP addresses or user agents consistent with automated tooling. The originating IP 212.11.64[.]250 should be blocked and reviewed in historical logs, though actors of this type routinely rotate infrastructure and should not be considered comprehensively blocked by a single IP indicator.

Strategic Considerations

This campaign should be assessed not as an isolated incident but as an early data point in a structural shift in attacker capability economics. The pattern—an unsophisticated operator using commercial AI services and open-source AI-integrated offensive frameworks to achieve operational scale previously requiring specialist teams—is readily reproducible. CyberStrikeAI is publicly available; the ARXON/CHECKER2 architecture, while custom-built, leverages widely available components—MCP, commercial LLM APIs, and Go-based tooling—and does not appear to require specialist expertise to adapt [1][4]. Security programs should operate on the assumption that AI has substantially lowered—potentially to near-elimination for unsophisticated actors—the technical barrier to mass credential scanning against exposed management interfaces, and recalibrate defense priorities accordingly.

Zero Trust Architecture principles, particularly the elimination of implicit trust in network-adjacent administrative access and the enforcement of continuous authentication and authorization, directly address the structural conditions this campaign exploited. Organizations should integrate CSA Zero Trust guidance into their network device management practices, treating every management session as requiring explicit, contextual verification rather than relying on network perimeter assumptions [7].

CSA Resource Alignment

This campaign engages multiple dimensions of CSA’s AI safety and cloud security research agenda.

The MAESTRO framework’s threat model for agentic AI systems is directly applicable to understanding both the ARXON orchestration layer and the CyberStrikeAI platform. MAESTRO’s analysis of how AI agents operating with persistent context and tool access create novel attack surfaces applies symmetrically to offensive deployments: the same agentic properties that make AI useful for defenders—persistent state, tool orchestration, autonomous decision-making—make it equally useful for financially motivated attackers executing multi-week campaigns [8]. CSA’s Agentic AI Red Teaming Guide provides a complementary operational lens for organizations seeking to test their own defenses against AI-orchestrated attack chains [9].

The Cloud Controls Matrix (CCM) provides actionable control mappings relevant to this campaign across several domains. Network Security (IVS-07 through IVS-09) addresses management interface exposure and network segmentation requirements. Identity and Access Management (IAM-02, IAM-09) covers MFA enforcement and privileged access management. Threat and Vulnerability Management (TVM-01 through TVM-09) encompasses the patch management and vulnerability scanning requirements implicated by the Veeam and Fortinet CVEs [10].

CSA’s AI Controls Matrix similarly surfaces relevant obligations around AI use in security-sensitive contexts, including transparency requirements for AI-generated outputs and the operational risk introduced by using commercial AI services—whose safety controls can be intentionally circumvented, as the CyberStrikeAI developer’s jailbreaking companion tools illustrate—in offensive workflows that may affect critical infrastructure [11]. CSA’s prior research note on autonomous AI offensive agents (March 8, 2026) provides additional context on the broader ecosystem of AI-native offensive tooling within which this campaign sits [12].

References

1. Amazon Threat Intelligence, “AI-augmented threat actor accesses FortiGate devices at scale,” Amazon Web Services Security Blog, February 2026. https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/

2. The Hacker News, “AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries,” February 2026. https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html

3. The Hacker News, “Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries,” March 2026. https://thehackernews.com/2026/03/open-source-cyberstrikeai-deployed-in.html

4. Cybersecurity Dive, “AI helps novice threat actor compromise FortiGate devices in dozens of countries,” 2026. https://www.cybersecuritydive.com/news/ai-cyberattacks-fortigate-amazon/812830/

5. Rapid7, “Critical vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719, CVE-2026-24858 exploited in the wild,” December 2025. https://www.rapid7.com/blog/post/etr-critical-vulnerabilities-in-fortinet-cve-2025-59718-cve-2025-59719-exploited-in-the-wild/

6. Fortinet PSIRT, “FG-IR-25-647,” FortiGuard Labs, 2025. https://fortiguard.fortinet.com/psirt/FG-IR-25-647

7. Cloud Security Alliance, “Zero Trust Guidance for Critical Infrastructure,” CSA, 2024. https://cloudsecurityalliance.org/

8. Cloud Security Alliance, “MAESTRO: Agentic AI Threat Modeling Framework,” CSA AI Safety Initiative, 2025. https://cloudsecurityalliance.org/

9. Cloud Security Alliance, “Agentic AI Red Teaming Guide,” CSA, 2025. https://cloudsecurityalliance.org/

10. Cloud Security Alliance, “Cloud Controls Matrix v4.0,” CSA, 2021. https://cloudsecurityalliance.org/research/cloud-controls-matrix/

11. Cloud Security Alliance, “AI Controls Matrix,” CSA AI Safety Initiative, 2024. https://cloudsecurityalliance.org/

12. Cloud Security Alliance AI Safety Initiative, “Autonomous AI Agents as Offensive Weapons: From GitHub Actions to Self-Directing Malware,” CSA Research Note (forthcoming), March 8, 2026.