Amazon has reported a global hacking campaign in which a Russian-speaking threat actor leveraged generative AI tools to breach more than 600 Fortinet FortiGate firewalls in 55 countries over five weeks. The attacks, carried out between January 11 and February 18, 2026, relied on weak credentials and exposed management interfaces rather than zero-day exploits, highlighting a growing trend of AI-assisted cyber operations.
AI-Powered Attacks on FortiGate Devices
According to a report by CJ Moses, the attacker scanned FortiGate management interfaces exposed on the internet via ports 443, 8443, 10443, and 4443. Using brute-force attacks and common passwords, the actor gained access to devices opportunistically, rather than targeting specific industries.
Once inside, the attacker exfiltrated critical configuration files including:
- SSL-VPN user credentials with recoverable passwords
- Administrative credentials
- Firewall policies and internal network architecture
- IPsec VPN configurations
- Network topology and routing information
These configuration files were then parsed and decrypted using AI-assisted Python and Go tools. Analysis of the code revealed characteristics of AI-generated scripts, including redundant comments, simplistic architecture, naive JSON parsing, and incomplete documentation.
Automation and Reconnaissance
After gaining VPN access to victim networks, the actor deployed custom reconnaissance tools to:
- Map network routing tables
- Classify networks by size
- Perform port scans using the open-source Gogo scanner
- Identify SMB hosts and domain controllers
- Use Nuclei to enumerate HTTP services
While functional, the tools often failed against hardened environments. Operational notes written in Russian also detailed use of Meterpreter and Mimikatz to conduct DCSync attacks and extract NTLM password hashes from Active Directory databases.
Targeting Backup Infrastructure
The campaign specifically focused on Veeam Backup & Replication servers. Using custom PowerShell scripts, compiled credential-extraction tools, and attempted exploitation of Veeam vulnerabilities, the actor sought to compromise backups before deploying ransomware. One server hosted a script named DecryptVeeamPasswords.ps1 aimed at harvesting backup application credentials.
The attacker also attempted to exploit multiple known vulnerabilities including CVE-2019-7192 (QNAP RCE), CVE-2023-27532 (Veeam information disclosure), and CVE-2024-40711 (Veeam RCE). When systems were patched or hardened, the actor shifted to easier targets.
AI Amplifying Low-Skill Actors
Amazon researchers concluded that the attacker possessed low-to-medium technical skill, but AI significantly amplified their capabilities. The actor reportedly used at least two large language model services to:
- Generate step-by-step attack strategies
- Develop custom scripts in multiple programming languages
- Build reconnaissance frameworks
- Plan lateral movement and network propagation
- Draft operational documentation
In one case, the attacker provided a full internal network topology—including IP addresses, hostnames, credentials, and services—to an AI service to assist in further lateral movement. This illustrates how AI lowers the barrier to entry for complex cyberattacks.
Recommendations for FortiGate Administrators
Amazon advises that FortiGate administrators should:
- Avoid exposing management interfaces to the internet
- Enable multi-factor authentication (MFA)
- Ensure VPN credentials differ from Active Directory passwords
- Harden backup infrastructure against targeted attacks
Google has similarly reported abuse of AI tools, including Gemini AI, to assist threat actors across multiple attack stages, aligning with Amazon’s findings.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
