Attacker Breached 600 FortiGate Appliances in AI-Assisted Campaign: Amazon
The cybersecurity industry is getting another demonstration of how generative AI tools can allow lower-skilled threat actors to launch and run wide-ranging attacks that previously would have taken larger teams of more experienced hackers to pull off.
The latest example was reported by the Amazon Threat Intelligence unit, which said its researchers found a Russian-speaking threat actor using multiple commercially available GenAI services to compromise more than 600 of Fortinet’s FortiGate network appliances across more than 55 countries.
The campaign ran from January 11 to February 18, according to CJ Moses, CISO of Amazon Integrated Security.
“No exploitation of FortiGate vulnerabilities was observed – instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale,” Moses wrote in the report. “This activity is distinguished by the threat actor’s use of multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operations, despite their limited technical capabilities.”
A Growing Trend
The Amazon investigation is the latest in a trend being seen of bad actors using AI tools not only to supplement their activities, but to generate malware and run the operation. AI vendor Anthropic reported in November 2025 about a China-linked group using its Claude Code model to run an espionage campaign, while Check Point in January wrote about a single actor who used an AI model to generate an advanced malware called “VoidLink.”
Darktrace researchers earlier this month caught a malware sample in its honeypot network that they said was entirely generated by AI. Now Amazon is weighing in.
“This investigation highlights how commercial AI services can lower the technical barrier to entry for offensive cyber capabilities,” Moses wrote. “The threat actor in this campaign is not known to be associated with any advanced persistent threat group with state-sponsored resources. They are likely a financially motivated individual or small group who, through AI augmentation, achieved an operational scale that would have previously required a significantly larger and more skilled team.”
Compromised AD, Stole Credentials
However, Amazon researchers found the threat actor compromised the Microsoft Active Directory (AD) environment of multiple organizations, stole credential databases, and targeted backup infrastructure, which often is an early step in a ransomware campaign.
“Notably, when this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting, underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill,” he wrote.
Amazon researchers identified publicly accessible infrastructure that was hosting malicious tools associated with the campaign and noted that the attacker had placed other operational files on the same infrastructure, including AI-generated attack plans, source code for custom tools, and victim configurations.
“This inadequate operational security provided comprehensive visibility into the threat actor’s methodologies and the specific ways they leverage AI throughout their operations,” he wrote. “It’s like an AI-powered assembly line for cybercrime, helping less skilled workers produce at scale.”
Accessing FortiGate Appliances
By compromising the FortiGate appliances – which often act as next-generation firewalls – the threat actor pulled full device configurations that included credentials, network information, and device configuration. They took the credentials to connect to the internal networks of victims, compromise their AD environments, harvest other credentials, and try to access backup infrastructure.
The attacker gained initial access through internet-facing FortiGate interfaces, scanning across ports 443, 8443, 10443, and 4443, and then reused credentials in authentication attempts. The devices were located in South and Southeast Asia, Latin America, West Africa, Northern Europe, and the Caribbean, as well as other regions.
After gaining access to the networks, the threat actor deployed different versions of a custom reconnaissance tool written in Go or Python and showing indications that it was developed with the help of AI, including comments that simply restate function names, simplistic architecture with a focus on formatting over functionality, and JSON parsing through string matching instead of deserialization.
“While functional for the threat actor’s specific use case, the tooling lacks robustness and fails under edge cases – characteristics typical of AI-generated code used without significant refinement,” Moses wrote.
Moving Laterally
Once in the networks, the attacker moved laterally and targeted Veeam Backup and Replication servers with credential-extracting tools and PowerShell scripts, and exploitation attempts against known Veeam flaws.
Moses wrote that the bad actors used at least two large language model (LLM) vendors to generate attack methodologies, including step-by-step exploitation instructions, expected success rates, time estimates, and prioritized task trees. They also used multiple AI services in complementary roles, including as the primary tool developer, attack planner, and operational assistant, and as a supplementary attack planner for when they needed help pivoting in a compromised network.
The infrastructure also included scripts in multiple programming languages, implying they were created by AI. Among the indicators were configuration parsers, credential extraction tools, VPN connection automation, mass scanning orchestration, and result aggregation dashboards.
‘Expect This Trend to Continue in 2026’
“The volume and variety of custom tooling would typically indicate a well-resourced development team. Instead, a single actor or very small group generated this entire toolkit through AI-assisted development,” Moses wrote. “As we expect this trend to continue in 2026, organizations should anticipate that AI-augmented threat activity will continue to grow in volume from both skilled and unskilled adversaries.”
Organizations need to ensure they continue patch management for perimeter devices, credential protections, network segmentation, and strong detection for post-exploitation indicators, he wrote.
