An unskilled but financially motivated attacker recently used generative AI to breach over 600 FortiGate firewall instances by automating the exploitation of weak credentials and exposed ports. This incident highlights how AI tools are effectively lowering the technical barrier for entry, allowing unsophisticated actors to achieve the kind of operational scale previously reserved for advanced threat groups.

According to research from Amazon Web Services, a Russian-speaking actor leveraged legitimate generative AI services to compromise hundreds of Fortinet devices across more than 55 countries in early 2026. The campaign spanned diverse geographic regions, including South Asia, Latin America, and West Africa. Notably, the attacker did not rely on complex software vulnerabilities but instead focused on basic security oversights like single-factor authentication and exposed management interfaces.

The actor in question does not appear to be linked to any state-sponsored group or possess deep technical expertise. Instead, they used AI to augment their capabilities, acting as a force multiplier that allowed a small-scale operation to function like a much larger team. When faced with strong defenses, the attacker simply moved on to easier targets, prioritizing the efficiency provided by AI over traditional persistence or high-level problem-solving.

Throughout the operation, the attacker utilized AI to generate custom step-by-step exploitation instructions, prioritize tasks, and write Python scripts. These scripts were specifically designed to parse and decrypt stolen configuration files gathered from internet-wide scans of common management ports. By automating the reconnaissance and data organization phases, the actor was able to quickly identify valuable network information and administrative credentials.

Once initial access was secured, the attacker targeted high-value assets such as Veeam Backup and Replication servers to compromise backup infrastructure. This strategy is often a precursor to ransomware, as it prevents victims from recovering their data without paying a ransom. To move laterally through these networks and compromise Active Directory environments, the actor combined their AI-generated tools with well-known open-source offensive security software.

This campaign reflects a broader trend where the majority of ransomware-related actors are now integrating AI to automate reconnaissance and scale social engineering efforts. As demonstrated in this case, the primary advantage of AI-augmented hacking is the ability to conduct high-volume attacks with minimal manual effort. This shift forces organizations to prioritize fundamental security hygiene, such as closing exposed ports and enforcing multi-factor authentication, to defend against increasingly automated threats.

Source: Over 600 FortiGate Devices Compromised by AI-Armed Amateur Hacker