AI-powered hacker breaches 600 FortiGate firewalls, Amazon warns

Attacker relied heavily on AI outputs

An AI-assisted hacker campaign breached over 600 FortiGate firewalls worldwide by exploiting weak credentials and public interfaces in a chilling demonstration of how generative AI is lowering the technical bar for large-scale cyberattacks.

A Russian-speaking threat actor used generative AU to help breach over 600 FortiGate firewalls across 55 countries in just five weeks, according to a new report released by Amazon's security division.

The campaign, which ran from 11th January to 18th February 2026, did not rely on sophisticated zero-day exploits. Instead, the attacker focused on exposed management interfaces and weak credentials lacking multi-factor authentication (MFA), highlighting how AI is lowering the technical barrier for large-scale cyber intrusions.

In a blog post, CJ Moses, Chief Information Security Officer of Amazon Integrated Security, detailed how they uncovered the operation after discovering a server hosting malicious tooling aimed at Fortinet devices.

Fortinet produces the widely used FortiGate firewall appliances targeted in the campaign.

Rather than exploiting previously unknown vulnerabilities, the attacker scanned the internet for management services running on common ports, including 443, 8443, 10443, and 4443, and launched brute-force password attacks against exposed systems.

The targeting appeared opportunistic rather than industry-specific, with victims identified across Northern Europe, South Asia, Southeast Asia, Latin America, the Caribbean, and West Africa.

Once inside a firewall, the attacker extracted configuration files containing: SSL-VPN credentials with recoverable passwords; administrative usernames and passwords; firewall policies and internal network maps; IPsec VPN configurations and routing tables and topology information.

The researchers found that the stolen configuration files were parsed and decrypted using AI-assisted Python and Go scripts.

The tools themselves showed signs of AI-generated code: redundant comments, simplistic architecture, fragile JSON parsing, and poor error handling.

While functional, they frequently failed in hardened environments, suggesting the attacker relied heavily on AI outputs without significant refinement.

After gaining VPN access, the threat actor deployed custom reconnaissance tools written in Go and Python.

These automated scripts classified networks by size, analysed routing tables, scanned ports using open-source tools, identified SMB hosts and Windows domain controllers; and discoverd HTTP services.

The researchers found operational notes written in Russian, detailing step-by-step instructions. The campaign also aggressively targeted backup infrastructure, particularly Veeam Backup & Replication servers.

A PowerShell script was found on a misconfigured server, designed to extract stored backup credentials.

The attacker's notes referenced attempts to exploit several known vulnerabilities, including CVE-2024-40711 (Veeam RCE), CVE-2023-27532 (Veeam information disclosure), and CVE-2019-7192 (QNAP RCE).

In cases where systems were properly patched or hardened, the actor typically abandoned the effort and moved on to easier targets.

Custom AI Infrastructure: ARXON and CHECKER2

A separate investigation by the Cyber and Ramen security researchers uncovered additional technical details.

Researchers identified a misconfigured server (212.11.64.250) hosting 1,402 files across 139 directories, including stolen firewall backups, credential dumps, vulnerability scans, and AI session artifacts.

Among the exposed files were folders labelled "claude" and "claude-0," containing outputs and prompt histories linked to Anthropic's Claude language model.

Logs also indicated use of DeepSeek and other commercial AI providers.

At the centre of the operation was a custom-built Model Context Protocol (MCP) server named ARXON.

MCP servers act as intermediaries that ingest reconnaissance data, send it to large language models, and integrate the generated responses back into operational workflows.

In this case, ARXON fed stolen network maps, credentials, and routing data into AI models to generate structured attack plans.

A separate Docker-based Go tool called CHECKER2 orchestrated parallel scans of thousands of VPN endpoints. Logs showed more than 2,500 potential targets across 100+ countries.

Low skill, high impact

Amazon assessed the threat actor as having a low-to-medium technical skill level. However, the use of generative AI dramatically expanded the attacker's capabilities.

The company is urging FortiGate administrators to avoid exposing management interfaces to the public internet and enable MFA for all administrative and VPN accounts.

It also recommends admins to ensure that VPN passwords are not reused for Active Directory; harden backup infrastructure and audit unusual SSH activity and new VPN account creation.