Full Report
The threat actor behind the recently disclosed artificial intelligence (AI)-assisted campaign targeting Fortinet FortiGate appliances leveraged an open-source, AI-native security testing platform called CyberStrikeAI to execute the attacks. The new findings come from Team Cymru, which detected its use following an analysis of the IP address ("212.11.64[.]250") that was used by the suspected
Analysis Summary
# Incident Report: AI-Assisted Mass Compromise of FortiGate Appliances
## Executive Summary
A suspected Russian-speaking threat actor leveraged **CyberStrikeAI**, an open-source AI-native offensive security platform, to conduct an automated mass-exploitation campaign against Fortinet FortiGate appliances. The campaign utilized generative AI services (Anthropic Claude and DeepSeek) to automate attack chains, resulting in the compromise of over 600 devices across 55 countries. The tool used in the attack is linked to a China-based developer with reported ties to the Chinese Ministry of State Security (MSS) and state-aligned cyber contractors.
## Incident Details
- **Discovery Date:** February 2026 (Initially reported by Amazon Threat Intelligence)
- **Incident Date:** Activity observed between January 20 and February 26, 2026
- **Affected Organization:** Over 600 compromised FortiGate appliances
- **Sector:** Multi-sector (Global targeting)
- **Geography:** 55 countries; CyberStrikeAI infrastructure primarily hosted in China, Singapore, Hong Kong, USA, Japan, and Switzerland.
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing approximately January 20, 2026.
- **Vector:** Automated mass-scanning for known and zero-day vulnerabilities in FortiGate appliances.
- **Details:** The threat actor used the IP `212.11.64[.]250` to scan for vulnerable devices and utilized CyberStrikeAI to automate the exploitation process through LLM-driven attack chains.
### Lateral Movement
- **Details:** The CyberStrikeAI platform integrates over 100 security tools specifically designed for attack-chain analysis and automated movement through compromised environments.
### Data Exfiltration/Impact
- **Details:** Compromise of internal appliance configurations and potential unauthorized access to the networks protected by the 600+ affected FortiGate devices.
### Detection & Response
- **How it was discovered:** Detected by Team Cymru and Amazon Threat Intelligence through traffic analysis and monitoring of GenAI API usage (Anthropic/DeepSeek) for malicious purposes.
- **Response actions taken:** Attribution of the source code to the developer "Ed1s0nZ" and identification of 21 unique IP addresses running the malicious AI platform.
## Attack Methodology
- **Initial Access:** Automated vulnerability scanning and mass exploitation via AI-integrated scanners.
- **Persistence:** Not explicitly detailed in the brief, but likely involved standard appliance firm-ware level persistence or credential theft.
- **Privilege Escalation:** Use of toolsets like *PrivHunterAI* and *InfiltrateX* (developed by the same author) which use DeepSeek/GPT models to find escalation paths.
- **Defense Evasion:** Use of AI services to generate polymorphic or novel exploit code; CyberStrikeAI visualizes results to help attackers bypass security controls.
- **Credential Access:** Automated extraction of credentials from compromised appliances.
- **Discovery:** CyberStrikeAI provides automated "Knowledge Retrieval" and vulnerability discovery.
- **Lateral Movement:** AI-powered attack-chain analysis to determine the next steps in a network.
- **Collection:** Mention of tools like *VigilantEye* to monitor for sensitive data (ID cards, phone numbers).
- **Exfiltration:** Use of automated tools to relay stolen data back to attacker-controlled servers.
- **Impact:** Systemic compromise of critical network infrastructure at scale.
## Impact Assessment
- **Financial:** High remediation costs for 600+ organizations.
- **Data Breach:** Exposure of network configurations and potential downstream data theft.
- **Operational:** Disruption of secure perimeter defenses in 55 countries.
- **Reputational:** Significant brand damage to affected organizations and scrutiny of AI safety guardrails for providers like Anthropic and DeepSeek.
## Indicators of Compromise
- **Network Indicators:** `212.11.64[.]250` (Scanning/Command & Control)
- **File/Tools:** CyberStrikeAI (Golang-based), PrivHunterAI, banana_blackmail.
- **Behavioral Indicators:** High-frequency API calls to GenAI providers (Anthropic Claude, DeepSeek) with prompts related to exploit development; automated scanning patterns originating from VPS providers in Hong Kong/Singapore.
## Response Actions
- **Containment:** Blocked the identified C2 IP addresses.
- **Eradication:** Revocation of compromised credentials and patching of Fortinet appliances.
- **Recovery:** Restoration of appliance firmware to known-good states.
## Lessons Learned
- **Key Takeaways:** Offensive AI is no longer theoretical; attackers are using GenAI to lower the barrier for executing complex, multi-stage attack chains at scale.
- **Gap Analysis:** Security tools failed to distinguish between legitimate AI-assisted security testing and malicious AI-driven exploitation in real-time.
## Recommendations
- **Prevention:** Implement strict egress filtering on appliances; monitor for unusual API traffic to AI providers; prioritize patching of edge networking equipment.
- **AI Safety:** AI service providers should implement more robust "jailbreak" detection to prevent models from being used to generate exploit code for known CVEs.