More than 600 Fortinet FortiGate firewalls were compromised in a cyberattack orchestrated by less sophisticated actors utilizing generative AI tools, according to a recent report from Amazon Web Services (AWS). The attack, which spanned from January 11 to February 18, 2026, affected devices across over 55 countries, including regions in Africa, Asia, Latin America, North America, and Europe.
Stephen Schmidt, Amazon’s Chief Security Officer, emphasized the role of AI in this incident, stating, “AI is making certain types of attacks more accessible to less sophisticated actors who can now leverage AI to enhance their capabilities and operate at greater scale.” The report indicated that the attackers, described as a Russian-speaking group or individual with limited technical skills, were not affiliated with any state-sponsored threat groups.
Schmidt noted that the use of AI allowed these actors to generate attack plans and tools while automating operations in ways that traditionally required considerable resources and expertise. “This is part of a pattern we’re seeing where AI is lowering the barrier to entry for threat actors,” he added.
The incident report detailed how the perpetrators employed various commercial generative AI services throughout their operation to implement and scale established attack techniques. The attackers reportedly used at least two large language models to coordinate the assault, assessing the duration and anticipated success rates of their efforts.
According to CJ Moses, AWS’s Chief Information Security Officer, the attackers’ plans even referenced academic literature on offensive AI agents, indicating they are keeping abreast of advancements in AI-assisted penetration testing. “The AI produces technically accurate command sequences, but the actor struggles to adapt when conditions differ from the plan,” Moses explained.
The report also highlighted that the attackers successfully compromised multiple organizations’ Active Directory environments and targeted backup infrastructures, which could potentially lead to ransomware deployment. The hackers developed AI-assisted Python scripts to analyze stolen configurations and employed open-source tools to exploit known vulnerabilities in systems, including Veeam Backup & Replication servers.
Moses pointed out that the attackers demonstrated an opportunistic approach; when faced with fortified defenses, they simply moved on to softer targets rather than attempting to breach more complex systems. “Notably, when this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting, underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill,” Moses stated.
AWS’s infrastructure was not implicated in the attack, and the report indicated that no FortiGate vulnerabilities were exploited during the campaign. The company advises customers using FortiGate appliances to take immediate security measures, such as ensuring management interfaces are not exposed to the internet and changing default credentials for accounts.
Additional recommended actions include auditing for password reuse between FortiGate VPN credentials and Active Directory domain accounts, implementing multi-factor authentication for all VPN access, and rotating service account credentials. Schmidt concluded, “AI is changing security on both sides of the equation, but organizations that combine strong security fundamentals with AI-powered tools are well-positioned to stay ahead.” This incident underscores the evolving nature of cyber threats and the increasing role of AI in facilitating attacks, raising concerns about the future landscape of cybersecurity.
See also
AI-Driven Attacks Compromise 600+ FortiGate Devices Across 55 Countries
Schools Face Rising Threat of AI-Powered Cyber Attacks Amid Federal Funding Cuts
Biothreat Detection Systems Market Surges to $3.49B by 2030 Driven by AI Innovations
AI-Driven Cyber Attacks Surge 89% in 2025, Reports CrowdStrike Global Threat Review
CrowdStrike Reveals Cyberattack Breakout Time Dropped to Just 27 Seconds in 2026 Report
