• Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks February 21, 2026 08:50 AM 0 Article updated at the bottom with additional technical details about this campaign. • Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks. • A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls. • Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, then used AI to help automate access to other devices on the breached network. • Moses says the compromised firewalls were observed across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, among other regions. • An AI-powered hacking campaign Amazon says it learned about the campaign after finding a server hosting malicious tools used to target Fortinet FortiGate firewalls.

Article Summaries:

  • Amazon’s security team warned that a Russian‑speaking hacker used generative‑AI services to breach more than 600 Fortinet FortiGate firewalls in 55 countries over a five‑week period (Jan 11-Feb 18, 2026). The campaign did not rely on zero‑day exploits; instead, the actor targeted exposed management interfaces on ports 443, 8443, 10443, and 4443, and used brute‑force attacks against weak credentials lacking MFA. Once inside, AI‑assisted Python and Go tools parsed and decrypted configuration files, enabling automated reconnaissance of victim networks. The compromised firewalls were found across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. Amazon identified the threat actor’s use of custom reconnaissance scripts, Meterpreter, and PowerShell tools to target Veeam Backup servers and extract credentials.
  • Amazon’s threat‑intelligence team reports that a financially motivated, Russian‑speaking threat actor used commercial generative AI tools to compromise more than 600 FortiGate devices in 55 countries between January 11 and February 18, 2026. The attackers did not exploit FortiGate vulnerabilities; instead they scanned exposed management ports (443, 8443, 10443, 4443) and leveraged weak, single‑factor credentials. AI aided the actor in developing custom tools, planning attacks, and generating commands, enabling a small, technically limited group to scale operations normally requiring larger teams. The campaign also breached Active Directory, extracted credential databases, and targeted backup infrastructure, suggesting a potential ransomware follow‑up.

Sources: