AI-Powered Hackers Breach 600 FortiGate Firewalls in Five Weeks, Leaving Cybersecurity Experts Worried

In a recent campaign that has left cybersecurity experts shaken, a group of hackers using generative AI services breached over 600 FortiGate firewalls across 55 countries in just five weeks. The attack, which was carried out by a Russian-speaking hacker, targeted exposed management interfaces and weak credentials that lacked multi-factor authentication (MFA) protection. Instead of relying on exploits or zero-day vulnerabilities, the threat actor used AI to help automate access to other devices on the breached network.

The campaign began between January 11th and February 18th, 2026, and was discovered by Amazon Integrated Security after finding a server hosting malicious tools used to target Fortinet FortiGate firewalls. The compromised firewalls were observed across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, among other regions.

Amazon's CISO, CJ Moses, revealed that the threat actor targeted FortiGate management interfaces exposed to the internet by scanning for services running on ports 443, 8443, 10443, and 4443. The targeting was reportedly opportunistic rather than against any specific industries. Instead of exploiting zero-days or using brute-force attacks with common passwords, the actor used AI-assisted Python and Go tools to extract the device's configuration settings.

The configuration files were then parsed and decrypted, revealing clear indicators of AI-assisted development, such as redundant function names, simplistic architecture, naive JSON parsing via string matching, and compatibility shims for language built-ins with empty documentation stubs. These tools were used to automate reconnaissance on the breached networks by analyzing routing tables, classifying networks by size, running port scans using the open-source gogo scanner, identifying SMB hosts and domain controllers, and using Nuclei to look for HTTP services.

The researchers say that while the tools were functional, they commonly failed in more hardened environments. Operational documentation written in Russian detailed how to use Meterpreter and mimikatz to conduct DCSync attacks against Windows domain controllers and extract NTLM password hashes from the Active Directory database. The campaign also specifically targeted Veeam Backup & Replication servers using custom PowerShell scripts, compiled credential-extraction tools, and attempted to exploit Veeam vulnerabilities.

The threat actors' "operational notes" contained multiple references to trying to exploit various vulnerabilities, including CVE-2019-7192 (QNAP RCE), CVE-2023-27532 (Veeam information disclosure), and CVE-2024-40711 (Veeam RCE). The report says that the attacker repeatedly failed when attempting to breach patched or locked-down systems, but instead of continuing to try to gain access, they moved on to easier targets.

While Amazon believes the threat actor has a low-to-medium skill set, that skill set was greatly amplified through the use of AI. The researchers say the threat actor utilized at least two large language model providers throughout the campaign to spread their attack and automate tasks. In one instance, the actor reportedly submitted a full internal victim network topology, including IP addresses, hostnames, credentials, and known services, to an AI service and asked for help spreading further into the network.

The campaign demonstrates how commercial AI services are lowering the barrier to entry for threat actors, enabling them to carry out attacks that would normally be outside their skill set. Amazon recommends that FortiGate admins not expose management interfaces to the internet, ensure MFA is enabled, ensure VPN passwords are not the same as those for Active Directory accounts, and harden backup infrastructure.

This report shares Amazon's assessment that generative AI is being used as a multiplier, allowing attackers to scale intrusions more efficiently. The use of AI in cyberattacks has been on the rise, with Google recently reporting that threat actors are abusing Gemini AI across all stages of cyberattacks, mirroring what Amazon observed in this campaign.

In conclusion, the recent breach of 600 FortiGate firewalls by an AI-powered hacker highlights the growing threat of generative AI in cybersecurity. As AI technology continues to advance, it is essential for defenders to prioritize patching edge devices and auditing unusual SSH activity and VPN account creation. By staying informed about emerging threats and taking proactive measures to secure their infrastructure, organizations can reduce the risk of falling victim to AI-powered attacks.

**Additional Technical Details**

A separate research published on the Cyber and Ramen security blog provides additional technical details about how AI and large language models were incorporated directly into the intrusion campaign. The researcher shared that the misconfigured server at 212.11.64[.]250, also found by Amazon, exposed 1,402 files, including stolen FortiGate configuration backups, Active Directory mapping data, credential dumps, vulnerability assessments, and attack planning documents.

The server contained 139 subdirectories, with folders named CVE exploit code, FortiGate configuration files, Nuclei scanning templates, and Veeam credential-extraction tools. Two folders named claude-0 and claude contained over 200 files between the two, including Claude Code task outputs, session diffs, and cached prompt states.

A folder titled fortigate_27.123(full IP redacted) held configuration data and credentials from what appeared to be a compromised FortiGate appliance. The exposed files included a custom Model Context Protocol (MCP) server named ARXON, which acted as a bridge between reconnaissance data and commercial large language models.

The researcher said they were unable to find any public references to ARXON, indicating it was likely a custom MCP framework created by the threat actor. An MCP server acts as an intermediary layer that ingests data, feeds it into language models, and then uses the generated output with other tools. In this campaign, the ingested data was used to automate post-compromise analysis and attack planning.

A separate Go tool called CHECKER2 is a Docker-based orchestrator that was used to scan thousands of VPN targets in parallel, with logs showing more than 2,500 potential targets across 100+ countries.