A financially motivated, Russian-speaking threat actor used commercial generative AI-based tools to gain access to more than 600 FortiGate devices across 55 countries between Jan. 11 and Feb. 18, 2026, according to a new report from Amazon Threat Intelligence.
The campaign did not rely on zero-day exploits or newly disclosed vulnerabilities. Instead, the actor gained access by targeting internet-exposed management ports and weak credentials protected only by single-factor authentication. AWS infrastructure was not involved, Amazon confirmed.
While the actor showed limited ability to exploit hardened environments, they were able to scale routine attack techniques globally using AI-assisted tooling.
AI Enhances Opportunistic Attacks
Amazon Threat Intelligence found the actor used multiple commercial LLM providers to generate step-by-step attack plans, develop custom Go and Python-based reconnaissance scripts, and organize stolen data.
Investigators uncovered AI-generated operational notes, victim network configurations, and tooling stored on publicly accessible infrastructure, giving analysts visibility into the campaign.
After gaining access to FortiGate appliances, the actor extracted configuration files with administrative credentials, firewall rules, SSL-VPN passwords, and network topology data. Stolen credentials were then used to move laterally into internal networks.
Post-exploitation activity included compromising Active Directory through DCSync attacks, harvesting NTLM password hashes, and targeting backup systems like Veeam Backup & Replication.
In several cases, the actor obtained full domain credential databases. However, attempts to leverage existing vulnerabilities, including CVE-2019-7192, CVE-2023-27532, and CVE-2024-40711, often failed when systems were patched or correctly hardened.
According to Amazon Threat Intelligence, the actor’s “advantage lies in AI-augmented efficiency and scale, not deeper technical skill.”
The report concludes that strong security fundamentals remain the most effective defense. Organizations are urged to remove internet exposure from management interfaces, enforce Multi-Factor Authentication (MFA), rotate credentials, segment networks, harden backup infrastructure, and rely more on behavioral detection over signature-based indicators.
