AI-Powered Hacker Breaches 600 Fortinet Firewalls in Global Campaign

A hacking campaign leveraging generative AI tools breached over 600 Fortinet firewalls across 55 countries in just five weeks, according to a new report from Amazon's Integrated Security team. Between January and February 2026, the threat actor targeted exposed management interfaces on FortiGate devices, exploiting weak credentials and absent multi-factor authentication (MFA) protections to gain initial access.

CJ Moses, CISO of Amazon Integrated Security, detailed how the attacker used AI-assisted Python and Go tools to parse stolen firewall configurations containing critical network intelligence: "Analysis of the source code reveals clear indicators of AI-assisted development: redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, and compatibility shims for language built-ins with empty documentation stubs," Moses noted. These tools automated reconnaissance across victim networks, scanning for Active Directory controllers, SMB hosts, and Veeam backup servers.

The campaign displayed opportunistic targeting rather than industry-specific focus, scanning internet-exposed ports 443, 8443, 10443, and 4443. Instead of zero-day exploits, the attacker relied on brute-force attacks using common passwords. Once inside, they extracted:

• SSL-VPN credentials with recoverable passwords
• Administrative credentials
• Firewall policies and internal architecture
• IPsec VPN configurations
• Network topology data

The attacker's operational documentation, written in Russian, outlined tactics including DCSync attacks against Windows domain controllers using Mimikatz and Meterpreter. Custom PowerShell scripts specifically targeted Veeam Backup servers, with tools hosted on attacker-controlled infrastructure including a PowerShell script named "DecryptVeeamPasswords.ps1". Amazon confirmed attempts to exploit known vulnerabilities including:

• CVE-2023-27532 (Veeam information disclosure)
• CVE-2024-40711 (Veeam RCE)
• CVE-2019-7192 (QNAP RCE)

Despite medium technical skill, the attacker amplified capabilities through generative AI to:

1. Generate step-by-step attack methodologies
2. Develop custom reconnaissance scripts
3. Plan lateral movement strategies
4. Draft operational documentation

In one instance, the actor submitted a victim's full network topology—including IPs, credentials, and services—to an AI service requesting expansion strategies. "The campaign demonstrates how commercial AI services are lowering the barrier to entry," Amazon's report stated, noting attackers consistently abandoned hardened systems to pursue easier targets.

Critical Recommendations for Fortinet Administrators

• Immediately remove management interfaces from public internet access
• Enforce MFA on all administrative and VPN accounts
• Ensure VPN credentials differ from Active Directory passwords
• Patch all Veeam Backup servers and firewall systems
• Conduct audits for configuration file exposure risks
• Implement network segmentation around backup infrastructure

This incident follows Google's recent warnings about AI abuse across attack lifecycles. Amazon stresses that basic hardening measures would have prevented most breaches in this campaign, highlighting how AI lowers entry barriers while amplifying existing vulnerabilities.