A recent investigation has uncovered a new breed of cybercriminal- the AI-augmented attacker. A Russian-speaking individual, despite having limited technical skills, managed to infiltrate over 600 FortiGate security devices across 55 countries in just over a month.
According to findings from Amazon Threat Intelligence, this campaign ran from 11 January to 18 February 2026, and wasn’t the work of a genius. Instead, the attacker used commercial AI services to act as a force multiplier, turning basic hacking into a high-speed assembly line.
High-Speed Scouting
Breaking into a global network usually requires a large team, but this attacker used AI to write Python and Go scripts that did the tedious work entirely. They systematically scanned the internet for “open windows,” specifically digital management ports numbered 443, 8443, 10443, and 4443.
The attacker did not even use complex exploits to get in. They simply used AI to help them test common or stolen passwords against these ports. Once they gained a foothold, they used the AI to read the device settings and map out the entire internal network of the victim.
A Focus on Backups and Passwords
Once inside, the attacker’s goal was clear- total control. They deployed well-known tools like Meterpreter and Mimikatz to steal passwords from the company’s main servers, known as Active Directory. Perhaps most concerningly, they specifically hunted for Veeam Backup & Replication servers. Let’s not forget that by targeting backups, a hacker can delete a company’s ability to recover its data, leaving it with no choice but to pay a ransom.
Interestingly, the hacker’s reliance on AI was also their Achilles heel; while the AI could write code, it sometimes became messy and failed when things got complicated. When the attacker tried to use advanced exploits, such as CVE-2019-7192 or CVE-2023-27532, they failed because they did not understand how to tweak the code for updated systems. The campaign was most successful in “softer” targets across South Asia, Southeast Asia, Latin America, West Africa, and Northern Europe, researchers noted.
Staying Safe in the AI Era
Amazon’s security chief, CJ Moses, points out that while the AI tools are new, the solution is old-fashioned. To protect your organisation, you should ensure your device management ports are not visible to the public internet and always use Multi-Factor Authentication (MFA), as a password alone is no longer enough.
Furthermore, never reuse passwords between your security devices and your main office network, and keep all software updated, as most of the attacker’s advanced attempts failed simply because the victims had installed their security patches.
