AI-Powered Cyberattacker Compromises 600+ FortiGate Devices in Global Campaign
A recent investigation by Amazon Threat Intelligence has exposed a new threat: an AI-augmented cybercriminal with limited technical expertise who breached over 600 FortiGate security devices across 55 countries in just 38 days (11 January–18 February 2026). The Russian-speaking attacker leveraged commercial AI services to automate and scale their operations, transforming basic hacking techniques into a high-efficiency intrusion campaign.
How the Attack Unfolded
The attacker used AI-generated Python and Go scripts to scan the internet for exposed management ports (443, 8443, 10443, 4443) a tactic that eliminated the need for manual reconnaissance. Rather than deploying sophisticated exploits, they relied on AI-assisted brute-forcing of common or stolen passwords to gain initial access.
Once inside, the attacker employed AI to map internal networks and deploy well-known offensive tools like Meterpreter and Mimikatz to extract credentials from Active Directory servers. A key objective was locating Veeam Backup & Replication servers, enabling them to disable data recovery options a tactic that could force victims into paying ransoms by eliminating their ability to restore systems.
AI’s Double-Edged Role
While AI amplified the attacker’s capabilities, it also became a critical weakness. The AI-generated code was effective for simple tasks but failed under complex conditions, particularly when attempting to exploit vulnerabilities like CVE-2019-7192 and CVE-2023-27532. The campaign’s success was concentrated in regions with weaker security postures, including South Asia, Southeast Asia, Latin America, West Africa, and Northern Europe.
Defensive Takeaways
The incident underscores that AI-driven attacks are lowering the barrier to entry for cybercriminals, but traditional security measures remain effective. The attacker’s failures against patched systems and advanced exploits highlight the importance of basic cyber hygiene, including:
- Restricting public access to management ports.
- Enforcing Multi-Factor Authentication (MFA) to neutralize password-based attacks.
- Avoiding password reuse between security devices and corporate networks.
- Promptly applying security patches to close known vulnerabilities.
The case serves as a stark reminder that even low-skilled threat actors can inflict widespread damage when armed with AI while also demonstrating that fundamental security practices can still thwart such campaigns.
Source: https://hackread.com/amazon-hacker-ai-tools-breach-fortigate-devices/
Fortinet TPRM report: https://www.rankiteo.com/company/fortinet
"id": "for1771958426",
"linkid": "fortinet",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['South Asia',
'Southeast Asia',
'Latin America',
'West Africa',
'Northern Europe'],
'type': 'Organizations with FortiGate devices'}],
'attack_vector': ['Brute-forcing',
'AI-assisted reconnaissance',
'Exposed management ports'],
'data_breach': {'sensitivity_of_data': 'High (Active Directory credentials, '
'backup systems)',
'type_of_data_compromised': 'Credentials, backup server '
'access'},
'date_detected': '2026-01-11',
'date_publicly_disclosed': '2026-02-18',
'description': 'A Russian-speaking attacker with limited technical expertise '
'leveraged commercial AI services to automate and scale a '
'cyber intrusion campaign, breaching over 600 FortiGate '
'security devices across 55 countries in 38 days. The attacker '
'used AI-generated scripts to scan for exposed management '
'ports, brute-force passwords, and deploy offensive tools like '
'Meterpreter and Mimikatz to extract credentials and disable '
'data recovery options.',
'impact': {'data_compromised': 'Credentials (Active Directory), backup server '
'access',
'operational_impact': 'Disabled data recovery options, potential '
'ransomware deployment',
'systems_affected': '600+ FortiGate devices, Veeam Backup & '
'Replication servers'},
'initial_access_broker': {'entry_point': 'Exposed management ports (443, '
'8443, 10443, 4443)',
'high_value_targets': 'Veeam Backup & Replication '
'servers',
'reconnaissance_period': '38 days (2026-01-11 to '
'2026-02-18)'},
'investigation_status': 'Completed (public disclosure)',
'lessons_learned': 'AI-driven attacks lower the barrier to entry for '
'cybercriminals, but traditional security measures (e.g., '
'MFA, patching, restricting public access to management '
'ports) remain effective. Basic cyber hygiene can thwart '
'even AI-augmented campaigns.',
'motivation': 'Financial gain (potential ransomware)',
'post_incident_analysis': {'corrective_actions': ['Restrict public access to '
'management ports',
'Enforce MFA',
'Patch known '
'vulnerabilities',
'Improve password policies'],
'root_causes': ['Exposed management ports',
'Weak or reused passwords',
'Unpatched vulnerabilities '
'(CVE-2019-7192, CVE-2023-27532)',
'Lack of MFA enforcement']},
'recommendations': ['Restrict public access to management ports',
'Enforce Multi-Factor Authentication (MFA)',
'Avoid password reuse between security devices and '
'corporate networks',
'Promptly apply security patches'],
'references': [{'source': 'Amazon Threat Intelligence'}],
'response': {'third_party_assistance': 'Amazon Threat Intelligence'},
'threat_actor': 'Russian-speaking cybercriminal',
'title': 'AI-Powered Cyberattacker Compromises 600+ FortiGate Devices in '
'Global Campaign',
'type': 'Cyber Intrusion',
'vulnerability_exploited': ['CVE-2019-7192', 'CVE-2023-27532']}