AI Hacker Breached 600 Fortinet Firewalls in 5 Weeks

A recent cybersecurity incident highlights a significant shift in how threat actors leverage technology, with a Russian-speaking hacker exploiting generative AI to breach over 600 Fortinet FortiGate firewalls across 55 nations in just over a month. The campaign, which ran from mid-January to mid-February 2026, did not rely on sophisticated software exploits. Instead, it capitalized on fundamental security lapses: management interfaces exposed directly to the internet and weak credentials lacking multi-factor authentication (MFA). Once initial access was gained, the attacker used AI to automate the process of exploring and compromising the internal networks behind these critical security appliances.

The investigation, led by Amazon’s security team, began after discovering a server hosting malicious tools designed for these intrusions. The hacker employed a simple but effective method, scanning the internet for FortiGate devices with management services accessible on common ports like 443 and 8443. The targeting was broad and opportunistic, not focused on any specific sector. Gaining entry was a matter of brute-forcing common passwords on these exposed interfaces.

Upon breaching a firewall, the attacker extracted critical configuration files. These files contained a treasure trove of information, including recoverable SSL-VPN user passwords, administrative credentials, internal firewall policies, and detailed network topology. The configuration data was then parsed and decrypted using custom tools written in Python and Go that showed clear signs of AI-assisted development. Analysts noted redundant comments, simplistic architecture, and naive coding practices, hallmarks of code generated by large language models without significant human refinement.

These AI-powered tools were then deployed inside victim networks to automate reconnaissance. They analyzed routing tables, classified network segments, ran port scans, and identified key systems like domain controllers and SMB hosts. While functional for the attacker’s specific goals, the tools often failed in more hardened environments, revealing their limitations. Operational notes, written in Russian, detailed plans to use tools like Meterpreter and mimikatz to pull password hashes from Active Directory in what are known as DCSync attacks.

The campaign also showed a keen interest in Veeam Backup & Replication servers, a common precursor to ransomware deployment. The attacker used custom PowerShell scripts and compiled tools to target these systems, attempting to exploit known vulnerabilities to compromise backup data and prevent recovery. A server hosted at 212[.]11.64.250 contained a script named “DecryptVeeamPasswords.ps1,” underscoring this focus. The attacker’s notes referenced several other vulnerabilities, but when faced with patched or locked-down systems, they typically abandoned efforts and moved to easier targets.

Amazon’s assessment is that the individual possessed a low-to-medium skill level, but generative AI acted as a powerful force multiplier. The threat actor used at least two commercial AI services to generate attack methodologies, develop custom scripts, create reconnaissance frameworks, and even draft operational documentation. In one stark example, the actor submitted a complete internal network map, including IPs, hostnames, and credentials, to an AI and asked for a strategy to spread deeper into the environment.

Further technical analysis published on the Cyber and Ramen security blog provides deeper insight into the AI integration. The misconfigured server found by Amazon exposed over 1,400 files, including stolen configuration backups, credential dumps, and folders labeled for outputs from the Claude AI. Crucially, the server hosted a custom tool called ARXON, a Model Context Protocol (MCP) server that acted as a bridge between stolen reconnaissance data and commercial language models like DeepSeek and Claude.

This ARXON system automated post-compromise analysis and attack planning. It would feed network data into the AI and receive back structured plans with steps to gain Domain Admin privileges, locate credentials, and move laterally. In some configurations, the Claude Code agent was set to autonomously execute offensive tools like Impacket and Metasploit modules. The operation evolved from using an open-source MCP framework to this fully customized, automated ARXON system over several weeks.

A separate Go-based tool, CHECKER2, was used as a Docker-based orchestrator to scan thousands of VPN targets in parallel, with logs indicating over 2,500 potential targets globally. While not part of the same campaign, a separate discovery by researcher Germán Fernández of AI-generated tools targeting FortiWeb servers further illustrates the trend of threat actors adopting these technologies.

The overarching conclusion from security professionals is clear: commercial AI services are dramatically lowering the barrier to entry for cybercrime, enabling less skilled actors to conduct widespread, automated intrusion campaigns. The primary defense recommendations remain foundational: do not expose management interfaces to the public internet, enforce MFA universally, ensure VPN passwords differ from Active Directory credentials, and rigorously harden backup infrastructure. Defenders are advised to prioritize patching edge devices and closely audit logs for unusual SSH activity and VPN account creation.

(Source: Bleeping Computer)