A technical report by Amazon Integrated Security reports a Russian-speaking actor used commercial generative AI to compromise more than 600 FortiGate firewalls across over 55 countries between January 11 and February 18.
KEY FACTS
- Incident Compromise of FortiGate management interfaces without exploiting software vulnerabilities
- Scale Over 600 devices across more than 55 countries from January 11 to February 18
- Method Brute-force access using commonly reused credentials and exposed management ports
- Impact Active Directory compromises, full credential extraction, and targeting of backup systems
The intruder accessed devices through exposed management ports and weak single-factor credentials. The actor relied on lists of commonly reused passwords to gain entry rather than on platform vulnerabilities.
After taking firewall admin credentials the actor exported policies network topology and VPN configurations. Those artifacts were parsed and organized with AI-assisted Python scripts to prepare network access and follow-on activity.
Following VPN access the actor deployed custom reconnaissance tools written in Go and Python. The tooling displayed hallmarks of AI-generated code such as redundant comments naive JSON handling and fragile edge case behavior.
Operators left operational files and source code on publicly accessible infrastructure. The campaign used unnamed commercial AI services outside of AWS to generate and scale the attacker toolkit.
WHY IT MATTERS
The incident shows AI can amplify the reach of attacks by automating tool development and scaling brute-force campaigns. Organizations that do not secure management interfaces enforce multifactor authentication and maintain credential hygiene risk large scale compromise and potential ransomware follow on activity.