GenAI Crosses the Attack Threshold: The FortiGate Campaign Proves AI Is Now Operational Attack Infrastructure

Key Takeaways

• A single 'technically unsophisticated' attacker compromised 600+ FortiGate firewalls across 55 countries in 38 days using commercial LLMs (DeepSeek, Claude) via a custom MCP server—this is APT-scale scope achieved without APT resources or expertise
• ARXON, the attacker's tool, repurposed the Model Context Protocol—the same interface primitive Anthropic designed for legitimate developer productivity—as an attack orchestrator. Claude Code was configured to autonomously execute Metasploit modules without operator approval
• The AI-generated code has forensic signatures detectable now (redundant comments, naive JSON parsing, empty stubs)—but this forensic advantage has a 12-18 month window before AI code quality degrades the signal
• The attack failed against properly defended targets: the attacker abandoned operations when encountering MFA, patched systems, and network segmentation. GenAI democratizes attack scale against hygiene failures, not against hardened targets
• Three immediate actions: audit MCP server configurations in AI coding tool deployments, add AI code quality forensics to malware analysis, and prioritize hygiene (exposed management port audits, MFA enforcement) over AI-specific countermeasures

The Inflection Point, Precisely Located

Every security paradigm shift has a moment where theory becomes demonstrated reality. The FortiGate campaign disclosed February 23, 2026, by Amazon Threat Intelligence, is that moment for GenAI-enabled cyberattacks.

Prior to this disclosure, 'AI-assisted cyberattacks' meant nation-state actors using GPT-4 for reconnaissance and phishing email improvement—valuable, but incremental. The February 2026 FortiGate campaign is qualitatively different in two ways: (1) it demonstrates AI as *operational* attack infrastructure—generating working exploit code, orchestrating multi-stage lateral movement, and executing offensive tools autonomously without operator approval; (2) it achieves APT-scale campaign scope (600+ targets, 55 countries) with a single non-expert operator in 38 days.

The attacker's technical profile, per Amazon Threat Intelligence: 'otherwise technically unsophisticated.' The forensic evidence of AI-generated code is explicit—redundant function comments that restate function names, naive JSON parsing via string matching rather than proper deserialization, empty documentation stubs, edge case failures. An expert developer reviewing the tooling would immediately recognize it as AI-generated without human refinement. Yet this AI-generated tooling, operated by a non-expert, achieved what previously required a well-resourced development team.

The ARXON Architecture: AI as Attack Infrastructure

The technical mechanism reveals the specific threat model: ARXON is a custom Model Context Protocol (MCP) server that feeds reconnaissance data from compromised FortiGate devices to commercial LLMs—confirmed as DeepSeek and Anthropic Claude—to generate structured attack plans. These plans include domain admin escalation paths, credential search locations, lateral movement recommendations, and step-by-step exploitation guidance. Claude Code was configured in some instances to autonomously execute offensive tools including Impacket scripts, Metasploit modules, and hashcat without requiring the attacker's approval for each command.

The significance of MCP as the attack vector is not incidental. MCP (Model Context Protocol) is the same technical interface that Anthropic designed to enable Claude Code to integrate with developer tools, file systems, and APIs. The attacker repurposed a legitimate agentic infrastructure protocol for offensive operations. This creates an uncomfortable design tension: the same interface primitives that make AI assistants powerful (real-time context from external systems, autonomous tool execution) are the primitives that make ARXON possible. There is no MCP vulnerability to patch—the attacker used MCP exactly as designed, but for adversarial objectives.

The Three-Role Trap: Attack Tool, Attack Target, Defensive Necessity

The FortiGate campaign does not exist in isolation—it shares a disclosure week with Anthropic's disclosure of Chinese lab distillation attacks on safety alignment. The convergence of these two disclosures in the same week reveals AI in a three-role trap:

AI as Attack Tool: The FortiGate campaign. A non-expert uses commercial LLMs to generate operational exploit tooling, plan lateral movement, and execute attacks at scale. Claude Code executes Metasploit modules. DeepSeek generates payload variants. The attack tool is the same AI assistant sold for developer productivity.

AI as Attack Target: The distillation campaign. Chinese labs systematically extract safety alignment IP from Anthropic's reward model through structured API queries designed to elicit safety-stripped capability. The attack target is the AI model itself—specifically, its safety alignment training, which the attacker treats as extractable intellectual property.

AI as Defensive Necessity: The third role is implicit but critical. An AI-generated attack campaign deploying custom-built exploit tools across 600 targets in 55 countries in 38 days cannot be detected and responded to at human speed. Defenders must deploy AI-assisted threat detection and response to match the volume and velocity of AI-augmented attackers. The arms race is recursive: AI defends against AI attacks enabled by AI tools.

The Scale-to-Effort Ratio Is the Threat Model

Amazon CISO CJ Moses framed the key insight: 'a single actor or very small group generated this entire toolkit through AI-assisted development'. The threat model is not that AI enables more sophisticated attacks—the FortiGate tooling failed under edge cases and abandoned operations when facing basic defensive controls. The threat model is that AI enables *scale* without expertise.

600 firewalls across 55 countries is an APT-scale campaign. The FortiGate attacker did not need APT resources, APT training, or APT infrastructure. They needed: commercial access to DeepSeek and Claude, the technical knowledge to build an MCP server (a moderately complex but well-documented task), and 38 days. The attack vector—exposed management ports and weak single-factor authentication—is basic security hygiene failure that has existed for years. AI did not find a new vulnerability; it amplified an attacker's ability to scan for and exploit *existing* vulnerabilities at scale.

This is the threat model that defenders must internalize: GenAI democratizes attack *scale*, not attack *sophistication*. Well-resourced defenders with proper hygiene (MFA, patched systems, network segmentation, backup hardening) are effectively protected against AI-amplified attacks that succeed through volume rather than depth. The organizations at risk are those with security hygiene failures—and AI dramatically lowers the cost for attackers to find and exploit them.

AI-Generated Code Has Forensic Signatures—For Now

AI-generated code has identifiable patterns in AI-generated malware: redundant comments, naive parsing, empty stubs, and edge case failures. Threat intelligence now includes 'AI development quality' as an attribution signal. Security vendors (Palo Alto, CrowdStrike, SentinelOne) have a 12-18 month window to build AI-generated malware fingerprinting as a product capability before AI code quality improvements degrade this detection signal.

This window is real and finite. As AI-generated code quality improves and expert-guided AI coding becomes standard, the forensic advantage narrows. Build AI malware fingerprinting into threat intelligence workflows now while the signal is clear.

Contrarian: This Is a Security Hygiene Story, Not an AI Story

The most uncomfortable truth about the FortiGate campaign is that 600 firewalls had exposed management ports and weak single-factor authentication in 2026. The attacker did not overcome good security—they overwhelmed negligent security at scale. If the FortiGate campaign had used automated scanning scripts rather than AI-generated tooling, the outcome might have been similar—just slower. AI's contribution was operational *velocity* and *tooling variety*, not capability to penetrate hardened targets.

The correct defensive response is to fix the hygiene failures, not to fight AI with more AI. Security teams reading this disclosure may focus on AI threat models while their own FortiGate management ports remain internet-exposed. Fix the exposed ports first.

What This Means for Practitioners

Security teams must take three immediate actions based on the FortiGate disclosure:

1. Audit MCP server configurations in any AI coding assistant deployment (Claude Code, Cursor, GitHub Copilot Workspace)—ARXON-style repurposing is a documented threat pattern. Review what tools and data sources are accessible via MCP in your AI developer tooling. Treat MCP server scope as an attack surface, not just a configuration choice.
2. Add AI code quality forensics to malware analysis workflows—redundant comments, naive parsing, empty stubs, and edge case failures are current AI-generated code signatures. Train your threat intelligence team to recognize them before the signal degrades in 12-18 months.
3. Prioritize basic hygiene over AI threat countermeasures—exposed management port audits, MFA enforcement, backup hardening, and network segmentation stop the FortiGate attack pattern. The attacker abandoned operations at properly defended targets. Fix the hygiene failures first.

For AI developers: the FortiGate campaign will accelerate regulatory pressure on agentic AI tool safety controls. Expect scrutiny of Claude Code, Cursor, and similar tools that enable autonomous execution of system commands. Build explicit scope constraints and approval gates into your agentic AI tool configurations—even if the current workflow benefits from broad tool access, the regulatory pressure post-FortiGate will push toward narrower default permissions.