What Happened

Between January 11 and February 18, 2026, a single threat actor compromised over 600 FortiGate firewall devices across more than 55 countries. The campaign was uncovered and documented by Amazon Threat Intelligence, and the findings are significant — not because of the technical sophistication of the attack, but because of the lack of it.

The attacker was a low-to-medium skill, financially motivated, Russian-speaking individual. They didn't discover zero-days. They didn't write custom exploits. They didn't chain together novel attack techniques. Instead, they used commercial generative AI services to compensate for their limited technical ability — and it worked at scale.

This is the first well-documented case of AI fundamentally changing the capability profile of a real-world attacker.

How the Attack Worked

No Zero-Days Required

Here's the uncomfortable part: no FortiGate vulnerabilities were exploited. The entire campaign succeeded through:

1. Exposed management interfaces — FortiGate devices with admin panels accessible from the internet on ports 443, 8443, 10443, and 4443
2. Weak credentials with single-factor authentication — Default or commonly reused passwords without MFA enabled

That's it. Port scanning plus credential stuffing. The most basic attack vector in the playbook.

Where AI Changed the Game

Amazon Threat Intelligence confirmed the attacker used at least two distinct commercial LLM providers throughout the campaign. The AI was used across every phase:

Reconnaissance and Planning:

• The attacker fed reconnaissance data from compromised FortiGate appliances into a custom tool called ARXON
• ARXON queried LLMs (identified as DeepSeek and Claude) to generate structured attack plans
• These plans included step-by-step exploitation instructions, expected success rates, time estimates, and prioritized task trees

Script Generation:

• AI-generated Python scripts automated the parsing, decryption, and organization of stolen FortiGate configurations
• This enabled efficient large-scale credential harvesting that would have required significantly more skill to code manually

Post-Compromise Operations:

• One LLM acted as the primary tool developer and attack planner
• A second LLM served as a supplementary assistant for pivoting within compromised networks
• The attacker used AI to generate PowerShell scripts targeting Veeam Backup & Replication servers — a common pre-ransomware move to destroy recovery capabilities

What the Attacker Did After Getting In

The post-compromise activity reveals the endgame:

• Configuration exfiltration — Downloading full device configurations, including VPN credentials and network topology
• Backup infrastructure targeting — Specifically going after Veeam servers with AI-generated decryption tools and PowerShell scripts
• Credential harvesting — Extracting and organizing credentials for lateral movement

Targeting backup infrastructure is a hallmark of ransomware preparation. Destroy the backups first, then encrypt the production systems. The victim has no recovery option except paying.

The AI Skill Multiplier

What makes this case study significant isn't the attack itself — port scanning and credential stuffing have existed forever. It's the scale and speed that AI enabled for a low-skill attacker.

Amazon's analysis revealed consistent limitations:

• The attacker couldn't compile custom exploits
• They couldn't debug failed exploitation attempts
• They couldn't creatively pivot when standard approaches failed
• They repeatedly failed against hardened environments and abandoned those targets

Their own operational notes document these failures. This isn't an elite APT group. This is someone who, without AI assistance, probably couldn't have compromised more than a handful of devices.

With AI, they compromised 600+ in five weeks across 55 countries.

The implication is clear: AI doesn't just help skilled attackers move faster — it lets unskilled attackers operate at a level they couldn't reach on their own. The floor of attacker capability has been raised.

What Defenders Should Do

1. Don't Expose Management Interfaces

This entire campaign would have been prevented if the FortiGate management interfaces weren't accessible from the internet. This is the most basic security hygiene, and 600+ organizations got it wrong.

# Check if your FortiGate management is internet-exposed
# These ports should NOT be accessible from untrusted networks
- 443  (HTTPS management)
- 8443 (Alternate HTTPS management)
- 10443 (SSL VPN default)
- 4443 (Alternate management)

Restrict management access to a VPN or jump host. If you absolutely must allow remote management, use IP allowlisting at minimum.

2. Enable MFA Everywhere

Single-factor authentication on network infrastructure in 2026 is indefensible. Every FortiGate, every switch, every router, every management interface should require multi-factor authentication.

The attacker specifically targeted devices with single-factor auth. MFA would have stopped the credential stuffing cold.

3. Protect Your Backups

The attacker's specific focus on Veeam servers is a warning sign. If your backup infrastructure is accessible from the same network segment as your compromised devices, you're one lateral move away from losing everything.

• Air-gap or immutably store critical backups
• Restrict access to backup systems to dedicated admin accounts with MFA
• Monitor for unusual access patterns to backup infrastructure
• Test your recovery — backups you can't restore from are useless

4. Monitor for AI-Generated Attack Patterns

AI-assisted attacks have detectable characteristics:

• Highly structured command sequences — AI-generated attack scripts are often more organized and well-commented than typical attacker tools
• Consistent operational patterns — The attacker follows the AI's plan methodically rather than adapting on the fly
• Rapid capability shifts — An attacker suddenly using techniques well above their demonstrated skill level
• Multi-phase reconnaissance — Structured data collection that gets fed back into planning tools

5. Audit Your External Attack Surface

Run regular scans of your internet-facing infrastructure. Services like Shodan, Censys, or your own external scanning tools can identify exposed management interfaces before attackers do.

The Bigger Picture

This campaign isn't an outlier — it's a preview. Amazon Threat Intelligence specifically noted that the attacker's use of AI was systematic and integral to the operation, not an occasional convenience.

The security implications are significant:

• The barrier to large-scale attacks is dropping. You no longer need years of experience to run a campaign across 55 countries. You need an LLM subscription and exposed targets
• AI providers are part of the attack chain. The attacker used commercial, legitimate AI services. This raises questions about AI providers' responsibility in detecting and preventing misuse
• Volume will increase. If one low-skill attacker can hit 600+ devices in 5 weeks, the aggregate impact of many AI-assisted attackers operating simultaneously will strain defensive resources

The defenders' advantage has always been that attacking at scale requires skill. That advantage is eroding.

---

Sources

• AI-augmented threat actor accesses FortiGate devices at scale — Amazon Web Services Security Blog
• AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries — The Hacker News
• Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks — BleepingComputer
• Hackers Leveraging Multiple AI Services to Compromise 600+ FortiGate Devices — CyberSecurityNews
• Amazon Reveals AI-Powered Hacker Breached 600+ FortiGate Firewalls Across 55 Countries — VPNCentral