AI-augmented threat actor accesses FortiGate devices at scale | Amazon Web Services
aws.amazon.com
Commercial AI services are enabling even unsophisticated threat actors to conduct cyberattacks at scale—a trend Amazon Threat Intelligence has been tracking closely. A recent investigation illustrates this shift: Amazon Threat Intelligence observed a Russian-speaking financially motivated threat actor leveraging multiple commercial generative AI services to compromise over 600 FortiGate devices across more than 55 countries […]

A Russian-speaking cybercrime group compromised over 600 FortiGate devices across 55 countries between January 11-February 18, 2026, using commercial AI services to automate and scale their attacks[1]. Rather than exploiting vulnerabilities, the group targeted exposed management ports and weak credentials, using AI tools like DeepSeek and Claude to generate attack plans, develop tools, and orchestrate operations[2].

The threat actor, despite limited technical skills, leveraged AI to:

  • Extract device configurations and credentials
  • Compromise Active Directory environments
  • Target backup infrastructure
  • Generate comprehensive attack methodologies
  • Develop custom reconnaissance tools

“This campaign succeeded through a combination of exposed management interfaces, weak credentials, and single-factor authentication—all fundamental security gaps that AI helped an unsophisticated actor exploit at scale,” said CJ Moses, Amazon’s CISO[1:1].

When encountering hardened security measures, the group simply moved to easier targets rather than attempting sophisticated exploitation, demonstrating their reliance on AI-augmented efficiency rather than technical expertise[1:2].

  1. Amazon Web Services - AI-augmented threat actor accesses FortiGate devices at scale ↩︎ ↩︎ ↩︎

  2. The Hacker News - AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries ↩︎