AI-augmented Threat Actor Accesses FortiGate Devices at Scale
Summary:
A Russian-speaking, financially motivated threat actor has been observed using commercial generative artificial intelligence (AI) services to compromise more than 600 FortiGate devices across 55 countries.
The activity was identified by Amazon Threat Intelligence and tracked between January 11 and February 18, 2026.
“No exploitation of FortiGate vulnerabilities was observed—instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication,” the company said, noting that AI enabled a comparatively unsophisticated actor to operate at significant scale.
According to Amazon, the threat actor demonstrated limited baseline technical capability, but relied heavily on multiple commercial AI services to support tool development, attack planning, and command generation throughout the intrusion lifecycle. While one AI service acted as the primary operational backbone, a secondary model was used to assist with pivoting and decision-making inside compromised environments.
Amazon’s investigation found that the intrusions led to compromise of multiple Active Directory environments, extraction of full credential databases, and targeted access attempts against enterprise backup infrastructure, activity consistent with pre-ransomware operations. When the actor encountered hardened environments or more advanced defensive controls, they typically abandoned the target and moved on.
The company also identified publicly accessible attacker infrastructure hosting extensive operational artifacts, including AI-generated attack plans, victim configurations, and source code for custom tooling—describing the operation as an “AI-powered assembly line for cybercrime.”
At a technical level, the campaign relied on systematic scanning of internet-exposed FortiGate management interfaces across ports 443, 8443, 10443, and 4443, followed by authentication attempts using commonly reused credentials. After successful access, the actor extracted full device configuration files, enabling recovery of VPN and administrative credentials, firewall policies, and internal network topology.
The stolen information was then used to move deeper into victim environments, perform automated reconnaissance and vulnerability scanning, compromise Active Directory, harvest credentials, and pursue lateral movement. High-value systems, particularly Veeam Backup & Replication servers, were repeatedly targeted to obtain privileged credentials and weaken recovery capabilities.
Security Officer Comments:
In a separate analysis of the same campaign, researchers from Cyber and Ramen disclosed details about the specific AI services used by the actor. Their findings show that the operator relied on DeepSeek and Anthropic Claude to generate and operationalize attack workflows.
According to the researchers, DeepSeek was used to generate attack plans directly from reconnaissance data, while Anthropic Claude’s coding agent produced vulnerability assessments and supported execution of offensive tooling during active intrusions.
A custom Model Context Protocol (MCP) server, named ARXON, acted as an orchestration layer between the attacker’s tooling and the language models, maintaining a growing knowledge base across victims. The same exposed infrastructure hosted more than 1,400 files, including FortiGate configuration data, Nuclei scan outputs, credential-extraction utilities, BloodHound collections, and exploit material. Researchers also identified a custom Go-based orchestration tool, CHECKER2, used to scale parallel VPN scanning and target processing.
Suggested Corrections:
This campaign succeeded through a combination of exposed management interfaces, weak credentials, and single-factor authentication—all fundamental security gaps that AI helped an unsophisticated actor exploit at scale. This underscores that strong security fundamentals are powerful defenses against AI-augmented threats. Organizations should review and implement the following.
https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/
A Russian-speaking, financially motivated threat actor has been observed using commercial generative artificial intelligence (AI) services to compromise more than 600 FortiGate devices across 55 countries.
The activity was identified by Amazon Threat Intelligence and tracked between January 11 and February 18, 2026.
“No exploitation of FortiGate vulnerabilities was observed—instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication,” the company said, noting that AI enabled a comparatively unsophisticated actor to operate at significant scale.
According to Amazon, the threat actor demonstrated limited baseline technical capability, but relied heavily on multiple commercial AI services to support tool development, attack planning, and command generation throughout the intrusion lifecycle. While one AI service acted as the primary operational backbone, a secondary model was used to assist with pivoting and decision-making inside compromised environments.
Amazon’s investigation found that the intrusions led to compromise of multiple Active Directory environments, extraction of full credential databases, and targeted access attempts against enterprise backup infrastructure, activity consistent with pre-ransomware operations. When the actor encountered hardened environments or more advanced defensive controls, they typically abandoned the target and moved on.
The company also identified publicly accessible attacker infrastructure hosting extensive operational artifacts, including AI-generated attack plans, victim configurations, and source code for custom tooling—describing the operation as an “AI-powered assembly line for cybercrime.”
At a technical level, the campaign relied on systematic scanning of internet-exposed FortiGate management interfaces across ports 443, 8443, 10443, and 4443, followed by authentication attempts using commonly reused credentials. After successful access, the actor extracted full device configuration files, enabling recovery of VPN and administrative credentials, firewall policies, and internal network topology.
The stolen information was then used to move deeper into victim environments, perform automated reconnaissance and vulnerability scanning, compromise Active Directory, harvest credentials, and pursue lateral movement. High-value systems, particularly Veeam Backup & Replication servers, were repeatedly targeted to obtain privileged credentials and weaken recovery capabilities.
Security Officer Comments:
In a separate analysis of the same campaign, researchers from Cyber and Ramen disclosed details about the specific AI services used by the actor. Their findings show that the operator relied on DeepSeek and Anthropic Claude to generate and operationalize attack workflows.
According to the researchers, DeepSeek was used to generate attack plans directly from reconnaissance data, while Anthropic Claude’s coding agent produced vulnerability assessments and supported execution of offensive tooling during active intrusions.
A custom Model Context Protocol (MCP) server, named ARXON, acted as an orchestration layer between the attacker’s tooling and the language models, maintaining a growing knowledge base across victims. The same exposed infrastructure hosted more than 1,400 files, including FortiGate configuration data, Nuclei scan outputs, credential-extraction utilities, BloodHound collections, and exploit material. Researchers also identified a custom Go-based orchestration tool, CHECKER2, used to scale parallel VPN scanning and target processing.
Suggested Corrections:
This campaign succeeded through a combination of exposed management interfaces, weak credentials, and single-factor authentication—all fundamental security gaps that AI helped an unsophisticated actor exploit at scale. This underscores that strong security fundamentals are powerful defenses against AI-augmented threats. Organizations should review and implement the following.
1. FortiGate appliance audit
Organizations running FortiGate appliances should take immediate action:- Ensure management interfaces are not exposed to the internet. If remote administration is required, restrict access to known IP ranges and use a bastion host or out-of-band management network
- Change all default and common credentials on FortiGate appliances, including administrative and VPN user accounts
- Rotate all SSL-VPN user credentials, particularly for any appliance whose management interface was or may have been internet-accessible
- Implement multi-factor authentication for all administrative and VPN access
- Review FortiGate configurations for unauthorized administrative accounts or policy changes
- Audit VPN connection logs for connections from unexpected geographic location
2. Credential hygiene
Given the extraction of credentials from FortiGate configurations:- Audit for password reuse between FortiGate VPN credentials and Active Directory domain accounts
- Implement multi-factor authentication for all VPN access
- Enforce unique, complex passwords for all accounts, particularly Domain Administrator accounts
- Review and rotate service account credentials, especially those used in backup infrastructure
3. Post-exploitation detection
Organizations that may have been affected should monitor for:- Unexpected DCSync operations (Event ID 4662 with replication-related GUIDs)
- New scheduled tasks named to mimic legitimate Windows services
- Unusual remote management connections from VPN address pools
- LLMNR/NBT-NS poisoning artifacts in network traffic
- Unauthorized access to backup credential stores
- New accounts with names designed to blend with legitimate service accounts
4. Backup infrastructure hardening
The threat actor’s focus on backup infrastructure highlights the importance of:- Isolating backup servers from general network access
- Patching backup software against known credential extraction vulnerabilities
- Monitoring for unauthorized PowerShell module loading on backup servers
- Implementing immutable backup copies that cannot be modified even with administrative access
https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/