Amazon Threat Intelligence has reported a sophisticated cyber campaign in which a Russian-speaking, financially motivated threat actor leveraged commercial generative AI tools to compromise over 600 FortiGate devices in 55 countries. The activity, observed between January 11 and February 18, 2026, demonstrates how AI is increasingly lowering the barrier to entry for cybercriminals with limited technical expertise.
Attack Methodology
CJ Moses, CISO of Amazon Integrated Security, explained that no zero-day exploits were used. Instead, the actor exploited exposed FortiGate management interfaces and weak single-factor credentials. AI tools were employed to automate multiple attack phases, including:
- Tool development in Python and Go
- Attack planning and pivoting within compromised networks
- Generation of commands for post-exploitation activities
The actor used at least two commercial AI services: a primary tool for most operational tasks and a secondary fallback tool for network pivoting.
Compromised Infrastructure and Data Theft
The attacks involved systematic scanning of FortiGate devices on ports 443, 8443, 10443, and 4443. Using commonly reused credentials, the threat actor gained access to management interfaces, extracted full device configurations, and harvested sensitive information such as:
- Administrative and SSL-VPN credentials
- Network topology and routing information
- Firewall policies and internal device settings
The stolen data enabled deeper penetration into networks, reconnaissance with Nuclei, Active Directory compromise, lateral movement, and targeting of backup infrastructure—typical preparatory steps for ransomware deployment.
Compromised clusters were observed across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. Scanning activity originated from IP address 212.11.64[.]250.
AI-Assisted Tooling Analysis
Amazon’s investigation found that custom reconnaissance tools written in Go and Python contained indicators of AI-assisted development:
- Redundant comments restating function names
- Simplistic architecture emphasizing formatting over functionality
- Naive JSON parsing using string matching instead of proper deserialization
- Compatibility shims with empty documentation stubs
While functional for automated attacks, the tools failed in hardened environments or against patched systems, prompting the actor to abandon difficult targets in favor of easier ones.
Post-Reconnaissance Activities
Following network compromise, the threat actor executed:
- Domain compromise via DCSync attacks
- Lateral movement through pass-the-hash, pass-the-ticket, and NTLM relay attacks
- Targeting Veeam Backup & Replication servers for credential harvesting and exploitation of known vulnerabilities (e.g., CVE-2023-27532, CVE-2024-40711)
The actor repeatedly encountered failures when attempting complex exploits beyond straightforward automated paths, highlighting reliance on AI to bridge technical skill gaps.
Recommendations for FortiGate Administrators
Amazon emphasizes the following defensive measures:
- Avoid exposing management interfaces to the internet
- Change default and common credentials
- Rotate SSL-VPN user credentials regularly
- Enable multi-factor authentication for administrative and VPN access
- Audit for unauthorized accounts or connections
- Isolate backup servers from general network access
- Keep all software updated
- Continuously monitor for unintended network exposure
CJ Moses warned that AI-augmented attacks are expected to increase in 2026. Organizations should rely on strong security fundamentals such as patch management, credential hygiene, network segmentation, and robust monitoring for post-exploitation indicators.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
