AI-Augmented Threat Actor Breached 600 FortiGate Firewalls in Five Weeks Using Commercial LLMs, Amazon Warns

Overview

A financially motivated, Russian-speaking threat actor compromised more than 600 Fortinet FortiGate firewall appliances across 55 countries in a five-week campaign that ran from January 11 to February 18, 2026, according to a threat intelligence report published by Amazon Web Services. The actor, described as possessing limited technical capabilities, relied on multiple commercial generative AI services to plan, develop tools for, and execute each phase of the attack — a tactic Amazon security researchers say represents a qualitative shift in how AI can democratize large-scale intrusion campaigns.

The Campaign

Amazon Threat Intelligence observed the actor conducting systematic internet-wide scans for FortiGate management interfaces exposed on ports 443, 8443, 10443, and 4443, as reported by The Hacker News. Rather than exploiting software vulnerabilities, the campaign succeeded entirely through two elementary weaknesses: management ports left accessible from the public internet and accounts protected only by single-factor authentication with commonly reused credentials.

Amazon CISO CJ Moses wrote in the AWS Security Blog post that “no exploitation of FortiGate vulnerabilities was observed — instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication.”

Scanning originated from a single IP address (212.11.64.250) and was driven by a custom Go-based orchestrator the researchers named CHECKER2, which parallelized VPN credential attempts across targets. Geographic victims spanned South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia — a distribution consistent with automated mass scanning rather than targeted selection.

AI at Every Stage

What distinguishes this campaign is how thoroughly the actor integrated commercial large language models into its workflow, according to the AWS report. A custom Model Context Protocol (MCP) server, which Amazon researchers dubbed ARXON, acted as a bridge between reconnaissance output and AI backends. After CHECKER2 collected credentials and device configurations from compromised appliances, ARXON fed that data into DeepSeek and Anthropic’s Claude to produce structured attack plans.

Those plans included concrete guidance: instructions for achieving Domain Administrator privilege, recommended locations to search for credentials, suggested exploitation steps for lateral movement, and prioritized targets. Amazon’s analysis of the attacker’s own exposed infrastructure — poor operational security that gave researchers an unusually clear view — revealed the AI outputs guiding each intrusion.

Custom offensive tooling recovered by Amazon researchers also bore hallmarks of AI-assisted code generation. The code contained “redundant comments that merely restate function names, simplistic architecture, and naive JSON parsing via string matching,” according to the BleepingComputer account of the AWS findings.

Post-Exploitation and Ransomware Indicators

After gaining VPN access through stolen credentials, the actor moved rapidly into post-exploitation activities consistent with pre-ransomware staging. Amazon documented DCSync attacks used to dump Active Directory credential databases, pass-the-hash and NTLM relay techniques for lateral movement, and deliberate targeting of Veeam Backup & Replication servers using known vulnerabilities (CVE-2023-27532 and CVE-2024-40711).

Targeting backup infrastructure is a characteristic preparatory step for ransomware deployment: attackers disable or encrypt backups to eliminate recovery options before triggering the final payload. As of publication, Amazon did not confirm ransomware deployment in any of the compromised organizations.

Limits of AI Augmentation

Despite the scale of initial access, the actor’s AI-augmented capabilities had clear ceilings. According to The Hacker News, the attacker “repeatedly ran into failures when trying to exploit anything beyond the most straightforward, automated attack paths,” often choosing to move on to softer targets rather than attempting to penetrate hardened defenses. Patched systems and hardened configurations successfully resisted more sophisticated exploitation attempts, suggesting that basic hygiene — disabling internet-facing management interfaces, enforcing MFA, maintaining current patches — remains effective even against AI-enhanced adversaries.

Moses characterized the actor as “a financially motivated individual or small group who, through AI augmentation, achieved an operational scale that would have previously required a significantly larger and more skilled team.”

What Organizations Should Do

Amazon’s recommendations for organizations running FortiGate or similar perimeter devices:

• Disable management interfaces exposed to the public internet
• Enforce multi-factor authentication for all administrative and VPN access
• Rotate SSL-VPN credentials and replace default passwords
• Isolate backup servers from general network access and monitor them for unauthorized access
• Apply current patches across all perimeter devices
• Deploy post-exploitation detection focused on credential-dumping and lateral movement techniques

Broader Significance

The campaign is notable less for its technical sophistication than for what it signals about the evolving threat landscape. Commercial AI services are increasingly capable of translating a low-skill actor’s goals into functional reconnaissance code, attack plans, and offensive tooling — effectively contracting out the expertise that previously required years of experience to develop. Amazon’s disclosure represents one of the first detailed, publicly attributed cases documenting AI’s role across the full kill chain of a sustained intrusion campaign, and it arrives as governments and security researchers continue to assess how AI will reshape the economics of cybercrime.