AI lazed threat actors compromised over 600+ Fortinet FortiGate firewalls in 55 countries between January 11 to February 18, 2026. Attackers scanned ports 443, 8443, 10443, and 4443 for vulnerable FortiGate admin panels.

• Custom AI-generated tools extracted configurations
• SSL-VPN credentials, firewall policies, network topology and IPsec VPN settings were revealed
• AI-assisted Python/Go recon tools showed hallmarks of LLM generation
• Exposed management interfaces and weak credentials that lacked MFA protection were prime Target
• Attacker specifically targeted Veeam Backup & Replication servers

Common passwords were used and the attackers was precise not using any force that could reveal identity at the earliest as per Amazon findings.

When Amazon discovered the hacking operation via a malicious server hosting attack tools they found Russian operational notes described Meterpreter, Mimikatz DCSync attacks, and Veeam backup targeting.

Further AI-assisted Python/Go recon tools showed hallmarks of LLM generation: redundant comments, naive JSON parsing, simplistic architecture.

A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls.

As per Moses the compromised firewalls were observed across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, among other regions.

Attack Analysis of AI Lazed Campaign ;What makes AI such a powerful tool for threat actors?

As per Amazon the campaign came to light after finding a server hosting malicious tools that is used to target Fortinet FortiGate firewalls.

As part of the campaign, the threat actor targeted FortiGate management interfaces exposed to the internet by scanning for services running on ports 443, 8443, 10443, and 4443. The targeting was reportedly opportunistic rather than against any specific industries

Following VPN access to victim networks, the threat actor deploys a custom reconnaissance tool, with different versions written in both Go and Python,” explained Amazon.

As per researchers, while the tools were functional, they commonly failed in more hardened environments. All documentation was written in Russian that detailed how to use Meterpreter and mimikatz to conduct DCSync attacks against Windows domain controllers and extract NTLM password hashes from the Active Directory database. 

The campaign also specifically targeted Veeam Backup & Replication servers using custom PowerShell scripts, compiled credential-extraction tools, and attempted to exploit Veeam vulnerabilities.

Along with targeting Fortigate firewalls, attacker specifically targeted Veeam Backup & Replication servers using custom PowerShell scripts, compiled credential-extraction tools and attempted to exploit Veeam vulnerabilities.

On one of the servers found by Amazon (212[.]11.64.250), the threat actor hosted a PowerShell script named “DecryptVeeamPasswords.ps1” that was used to target the backup application.

Threat Actor Methodologies

Further the threat actor utilized at least two large language model providers throughout the campaign to:

• Generate step-by-step attack methodologies
• Develop custom scripts in multiple programming languages
• Create reconnaissance frameworks
• Plan lateral movement strategies
• Draft operational documentation

Even though the threat actors had low skill set, with AI tools the attacks were amplified.

What Makes AI a Powerful tool for Hackers?

AI usage and large language models (LLMs) are lowering the barrier to entry for cyberattacks. Enabling attackers to generate convincing phishing messages. Automation of ransomware campaigns are rampant now and with AI, it is easy to scale malicious operations far beyond what was previously possible.

Conclusion:

Without human intervention LLMs can produce basic malicious code snippets or modify existing malware to evade detection. But no current AI system can create sophisticated, zero-day level malware. Cybercriminals mostly use AI to generate realistic audio, video and text content. Organizational defenses should combine human awareness with technical safeguards. 

Malicious use of AI can be restricted as developers integrate security by design. This means embedding secure protocols, testing algorithms against potential abuse, and ensuring regular patching and updates.

Only after deep analysis and anticipating how attackers might misuse their tools, developers reduce enterprise exposure to any cyber attacks and use AI for threat detection or vulnerability management.

Sources: https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/