Amazon Alerts: Low-Skill Hacker Used AI Tools to Breach FortiGate Devices Globally

Key Findings:

• A Russian-speaking individual with limited technical skills managed to infiltrate over 600 FortiGate security devices across 55 countries in just over a month.

• The attacker used commercial AI services as a force multiplier, turning basic hacking into a high-speed assembly line.

• The attacker systematically scanned the internet for exposed management ports and used AI to test common or stolen passwords.

• Once inside, the attacker stole passwords from the company's main servers and targeted Veeam Backup & Replication servers to delete the ability to recover data.

• The attacker's reliance on AI was also their Achilles heel, as the AI-generated code sometimes failed when dealing with more advanced exploits.

Background

This campaign ran from 11 January to 18 February 2026 and was uncovered by Amazon Threat Intelligence. The findings reveal a new breed of cybercriminal - the AI-augmented attacker - who was able to accomplish complex tasks despite having limited technical skills.

High-Speed Scouting

Breaking into a global network typically requires a large team, but this attacker used AI to write Python and Go scripts that automated the tedious work. They systematically scanned the internet for "open windows," specifically digital management ports numbered 443, 8443, 10443, and 4443, and used AI to test common or stolen passwords against these ports.

Focus on Backups and Passwords

Once inside, the attacker's goal was clear - total control. They deployed well-known tools like Meterpreter and Mimikatz to steal passwords from the company's main servers, known as Active Directory. Perhaps most concerningly, they specifically hunted for Veeam Backup & Replication servers, as targeting backups can leave a company with no choice but to pay a ransom.

Limitations of AI-Reliance

Interestingly, the hacker's reliance on AI was also their Achilles heel. While the AI could write code, it sometimes became messy and failed when things got complicated. When the attacker tried to use advanced exploits, such as CVE-2019-7192 or CVE-2023-27532, they failed because they did not understand how to tweak the code for updated systems.

Staying Safe in the AI Era

Amazon's security chief, CJ Moses, points out that while the AI tools are new, the solution is old-fashioned. To protect your organization, you should ensure your device management ports are not visible to the public internet and always use Multi-Factor Authentication (MFA), as a password alone is no longer enough. Furthermore, never reuse passwords between your security devices and your main office network, and keep all software updated, as most of the attacker's advanced attempts failed simply because the victims had installed their security patches.

Sources

• https://hackread.com/amazon-hacker-ai-tools-breach-fortigate-devices/

• https://x.com/HackRead/status/2026321543156863111

• https://www.reddit.com/r/pwnhub/comments/1rdlu3p/amazon_alerts_lowskill_hacker_utilizes_ai_to/

• https://www.siliconrepublic.com/enterprise/amazon-aws-commercial-gen-ai-firewall-fortigate-breach