• Amazon: AI-assisted hacker breached 600 FortiGate firewalls in 5 weeks February 21, 2026 08:50 AM 0 Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks. • A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls. • Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, then used AI to help automate access to other devices on the breached network. • Moses says the compromised firewalls were observed across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, among other regions. • An AI-powered hacking campaign Amazon says it learned about the campaign after finding a server hosting malicious tools used to target Fortinet FortiGate firewalls. • As part of the campaign, the threat actor targeted FortiGate management interfaces exposed to the internet by scanning for services running on ports 443, 8443, 10443, and 4443.

Article Summaries:

  • Amazon has warned that a Russian‑speaking hacker used generative AI tools to breach more than 600 FortiGate firewalls in 55 countries over five weeks (Jan 11-Feb 18 2026). The campaign relied on exposed management interfaces and weak, non‑MFA credentials, employing brute‑force attacks rather than zero‑day exploits. Once inside, the attacker extracted configuration files-VPN credentials, firewall policies, network topology-and used AI‑assisted Python and Go scripts to parse and automate reconnaissance across victim networks. The tools also targeted Veeam Backup servers with custom PowerShell scripts. The attack was opportunistic, affecting regions from South Asia to Northern Europe, and did not focus on any particular industry.
  • Amazon Threat Intelligence reports that a financially motivated, Russian‑speaking threat actor used commercial generative AI tools to compromise more than 600 FortiGate devices in 55 countries between January 11 and February 18, 2026. The campaign did not exploit FortiGate vulnerabilities; instead, attackers leveraged exposed management ports (443, 8443, 10443, 4443) and weak, single‑factor credentials. AI assisted in tool development, attack planning, and command generation, enabling the actor-described as having limited technical skills-to scale operations normally requiring a larger, more skilled team. The group also breached Active Directory environments, extracted credential databases, and targeted backup infrastructure, indicating a potential ransomware motive.

Sources: