This article has been updated to include additional technical insights into the hacking campaign.
Amazon’s latest security advisory indicates that a Russian-speaking hacker orchestrated a sophisticated cyber campaign utilizing generative AI services, successfully breaching over 600 FortiGate firewalls across 55 nations within a short span of five weeks. This alarming incident raises significant concerns regarding the vulnerabilities inherent in widely-used cybersecurity infrastructure.
The report, authored by CJ Moses, Chief Information Security Officer at Amazon Integrated Security, outlines that the hacking activity took place between January 11 and February 18, 2026. Notably, the attack did not exploit any known vulnerabilities in Fortinet firewalls but rather targeted exposed management interfaces and compromised weak passwords lacking multi-factor authentication (MFA).
Moses elaborates that the attacked firewalls were scattered across diverse regions including South Asia, Latin America, West Africa, and Northern Europe. The attackers leveraged AI to automate unauthorized access to compromised networks, making their operations more efficient and far-reaching.
Amazon became aware of the campaign through the discovery of a server that hosted malicious tools aimed at Fortinet’s FortiGate. Rather than focus on specific industries, the attackers opportunistically scanned the internet for active FortiGate management interfaces exposed on ports such as 443, 8443, 10443, and 4443. Using brute-force attacks with easily guessable credentials, they gained access to numerous devices without needing to leverage zero-day exploits.
Upon breaching these firewalls, the threat actor extracted vital configuration settings, which included SSL-VPN user credentials, administrative credentials, firewall policies, internal network design, and IPsec VPN configurations. The analysis revealed that these configuration files were subjected to parsing and decryption using AI-enhanced scripts written in Python and Go.
Following initial access, the attacker deployed a custom reconnaissance tool, crafted in both Go and Python, to gather detailed intelligence about the compromised networks. This included analyzing routing tables, conducting port scans, identifying SMB hosts, and enumerating HTTP services using various scanning tools. Despite the apparent effectiveness of these tools, they often failed in environments with robust security measures.
Operational documentation found on the server highlighted the use of various techniques, including DCSync attacks targeting Windows domain controllers to extract NTLM password hashes from Active Directory databases. The attacker also specifically aimed at Veeam Backup & Replication servers, employing tailored PowerShell scripts and credential extraction tools to exploit vulnerabilities within that ecosystem.
This incursion underscores the vulnerabilities present in backup infrastructures, which are often targeted before ransomware deployment to inhibit recovery efforts. Threat actors’ operational notes indicated multiple attempts to exploit known vulnerabilities in various systems, albeit with limited success against updated defenses.
According to Amazon’s evaluation, the attacker possessed a low-to-medium skill set that was significantly enhanced through the utilization of AI. The research identified the use of at least two distinct large language model providers throughout the attack campaign for generating attack methodologies, developing scripts, planning lateral movement strategies, and drafting operational documentation. The use of commercial AI services appears to lower the barrier for entry, facilitating the execution of complex cyber assaults.
In summary, the tactics and techniques employed during this cyber assault may align with several MITRE ATT&CK adversary tactics, including Initial Access through credential dumping, Persistence via unauthorized administrative privileges, and Lateral Movement through network reconnaissance. Amazon recommends that administrators of FortiGate devices take proactive measures to secure their management interfaces and reinforce their credential protection protocols. This incident serves as a stark reminder of the evolving landscape of cyber threats fueled by advanced technologies.
As a growing number of threat actors harness AI for their malicious objectives, organizations must remain vigilant and prioritize the enhancement of their cybersecurity defenses to combat these emerging risks effectively.