How did hackers breach FortiGate firewalls?

Scale, method and the role of generative AI

An investigation recounted by Amazon detailed a rapid, high‑volume campaign that compromised a large number of FortiGate firewall appliances. The attack spanned roughly five weeks and affected hundreds of devices across dozens of countries. Investigators found that the operator — described as a Russian‑speaking actor — incorporated generative AI into the campaign to accelerate and scale their work.

What the campaign did

• Rapid exploitation: the attacker compromised over 600 FortiGate devices across more than 50 countries in a short window.
• Use of generative AI: AI models were used to assist with parts of the operation, helping craft exploit payloads, automate reconnaissance or generate the content needed to pivot at scale.
• Fast lateral spread: once a foothold was obtained, the attacker moved quickly to expand access and maintain persistence on affected appliances.

Why generative AI mattered

Generative models reduced the manual effort needed to iterate on exploits and scale reconnaissance and exploitation tasks. That lowered the barrier between a skilled operator and a mass‑scale campaign, allowing the attacker to target many devices in parallel and adapt tactics more quickly than in traditional campaigns.

Practical advice for defenders

• Apply vendor patches and advisories immediately, especially for perimeter devices.
• Rotate credentials and remove exposed management interfaces from the public internet.
• Harden logging and monitoring so unusual administrative activity and rapid configuration changes are detected early.

The broader takeaway is stark: offensive operators are adopting AI to increase speed and reach. Defenders must improve basic hygiene, speed up patching, and treat AI‑assisted threats as a new operational reality.