Amazon Reveals AI-Powered Hacker Breached 600+ FortiGate Firewalls Across 55 Countries

A Russian-speaking threat actor compromised over 600 Fortinet FortiGate firewalls in 55 countries during a five-week campaign from January 11 to February 18, 2026. Amazon’s CJ Moses, CISO of Integrated Security, detailed how the hacker used generative AI services instead of zero-day exploits. Attackers targeted internet-exposed management interfaces with weak credentials lacking MFA protection.

The campaign proved opportunistic across industries. Attackers scanned ports 443, 8443, 10443, and 4443 for vulnerable FortiGate admin panels. Brute-force attacks succeeded against common passwords. Once inside, custom AI-generated tools extracted configurations revealing SSL-VPN credentials, firewall policies, network topology, and IPsec VPN settings.

Amazon discovered the operation via a malicious server hosting attack tools. Russian operational notes described Meterpreter, Mimikatz DCSync attacks, and Veeam backup targeting. AI-assisted Python/Go recon tools showed hallmarks of LLM generation: redundant comments, naive JSON parsing, simplistic architecture. Tools failed against hardened targets.

Geographic Spread Table

Region	Compromised Firewalls	Key Countries
South Asia	High	India, Pakistan
Latin America	High	Brazil, Mexico
West Africa	Medium	Nigeria, Ghana
Southeast Asia	Medium	Thailand, Indonesia
Northern Europe	Low	Sweden, Finland
Caribbean	Low	Various islands

55 countries total impacted.

Attack Chain Breakdown

1. Discovery: Port scan for FortiGate admin interfaces (443/8443/10443/4443).
2. Access: Brute-force weak/no-MFA credentials.
3. Exfiltration: Extract SSL-VPN passwords, firewall configs, network maps.
4. Recon: AI tools analyze routing tables, scan SMB/domain controllers.
5. Backup Targeting: Veeam PowerShell credential dumps (DecryptVeeamPasswords.ps1).

No ransomware deployed.

AI Code Indicators

Amazon identified LLM fingerprints:

• Redundant comments restating function names.
• Naive string-based JSON parsing.
• Empty documentation stubs.
• Over-formatted simplistic architecture.
• Edge-case failures common.

Low-skill actor amplified by AI.

Targeted Vulnerabilities

Operational notes referenced:

• CVE-2019-7192 (QNAP RCE).
• CVE-2023-27532 (Veeam info disclosure).
• CVE-2024-40711 (Veeam RCE).

Patched systems blocked attacks.

Recon Tool Features

Custom tools performed:

• Routing table analysis and network classification.
• gogo scanner port sweeps.
• Nuclei HTTP service detection.
• SMB host and domain controller enumeration.
• Internal topology mapping for AI planning.

Russian documentation detailed DCSync.

Veeam Backup Attacks

Pre-ransomware infrastructure targeting:

• DecryptVeeamPasswords.ps1 hosted on 212.11.64.250.
• Compiled credential extraction tools.
• Vulnerability exploitation attempts.

Backup destruction prevents recovery.

AI Service Abuse

Threat actor leveraged LLMs for:

• Step-by-step attack methodologies.
• Multi-language script generation (Python, Go).
• Recon framework development.
• Lateral movement planning.
• Operational documentation drafting.

Network topology fed to AI for expansion strategies.

Amazon Recommendations

FortiGate hardening priorities:

• Never expose management interfaces to internet.
• Enforce MFA everywhere.
• Unique VPN passwords (not Active Directory).
• Harden backup infrastructure.
• Monitor configuration changes.

Campaign Characteristics

Actor Profile	Attack Style	Success Factors
Skill Level	Low-to-medium	AI amplification
Targeting	Opportunistic	Exposed admin interfaces
Duration	5 weeks (Jan 11-Feb 18)	600+ firewalls breached
Languages	Russian operational notes	Multi-language tools

No specific industries targeted.

FAQ