Amazon Threat Intelligence has published a timely investigation into a campaign where a Russian-speaking, financially motivated threat actor used multiple commercial generative AI services to compromise 600+ FortiGate devices across 55+ countries between 11 January and 18 February 2026.

The most important detail is also the most sobering: this wasn’t a “zero-day” story. Amazon reports they did not observe exploitation of FortiGate vulnerabilities. Instead, the campaign succeeded by targeting internet-exposed management interfaces and weak, single-factor credentials—basic gaps that AI helped an unsophisticated operator exploit at speed and at scale.

Amazon also notes that AWS infrastructure was not involved in the campaign; the findings are being shared to help the wider community defend against similar activity.

Why this matters in 2026

This is a clean example of what many security teams are now seeing: commercial AI services can reduce the effort needed to plan, script, and operationalise common attack techniques. In Amazon’s assessment, the actor’s baseline skill level was low-to-medium, but their operational throughput and breadth were significantly increased by AI augmentation.

The defensive lesson is not “buy an AI product.” It’s simpler:

• If your fundamentals are weak (exposed management, password reuse, no MFA), attackers can now test and exploit those weaknesses faster.
  
• If your fundamentals are strong (restricted admin access, credential hygiene, segmentation, recovery posture), even “AI-augmented” operators often move on rather than persist.

The attack chain, in plain English

Based on Amazon’s write-up, the flow looks like this:

1) Initial access: mass credential abuse against exposed management ports

The actor systematically scanned for FortiGate management interfaces across ports 443, 8443, 10443 and 4443, then attempted logins using commonly reused credentials.

2) Configuration theft: why FortiGate configs are such valuable targets

Once a device is accessed, configuration files can yield high-value information such as VPN credentials, admin credentials, network topology, firewall policies, and VPN peer configurations.

Amazon notes the actor used AI-assisted scripts to parse, decrypt and organise stolen configurations.

3) Post-VPN recon: automated discovery to find the next steps

After VPN access, the actor used a custom reconnaissance tool (with AI-generation hallmarks) and chained common open-source tooling for service discovery and vulnerability scanning.

4) Domain compromise attempts (and why it escalates quickly)

Amazon describes the intended use of standard offensive tooling to perform DCSync against domain controllers and extract credential material from Active Directory; in confirmed cases the attacker obtained complete credential databases.

5) Targeting backups: a classic ransomware precursor

The actor specifically targeted backup infrastructure (including Veeam Backup & Replication servers), consistent with pre-ransomware playbooks that aim to weaken recovery before encryption.

What to do now: a practical checklist

If you run FortiGate (or any edge appliance), the priority is to remove easy wins.

A) FortiGate / perimeter hardening

Amazon’s recommended actions are the right starting point:

• Do not expose management interfaces to the internet. If remote administration is required, restrict access to known IP ranges and use a bastion host or out-of-band management.
  
• Change default and common credentials (admin and VPN users).
  
• Rotate SSL-VPN credentials where interfaces were (or may have been) internet-accessible.
  
• Implement MFA for admin and VPN access.
  
• Review configurations for unauthorised admin accounts or policy changes.
  
• Audit VPN logs for unexpected geographic locations.

B) Credential hygiene (don’t underestimate password reuse)

Amazon highlights the risk that credentials extracted from configs can be reused against Active Directory.

Key actions:

• Audit for password reuse between VPN creds and domain accounts.
  
• Enforce unique, complex passwords for privileged roles.
  
• Rotate service account credentials, especially around backup operations.

C) Detection: focus on behaviours, not just IOCs

Amazon notes that because legitimate open-source tools were used, IOC-only detection has limited value; organisations should prioritise behavioural detection.

They recommend monitoring for indicators including:

• Unexpected DCSync operations (Event ID 4662 with replication-related GUIDs).
  
• New scheduled tasks named to mimic legitimate Windows services.
  
• Unusual remote management connections from VPN address pools.
  
• LLMNR/NBT-NS poisoning artefacts.
  
• Unauthorised access to backup credential stores and suspicious new accounts.

D) Backup hardening: protect recovery as if it’s a target (because it is)

Amazon’s guidance here is particularly relevant if you want to prevent “ransomware with no way back” scenarios:

• Isolate backup servers from general network access.
  
• Patch backup software and monitor for credential extraction activity.
  
• Use immutable backup copies that cannot be modified even with administrative access.

Altiatech perspective: this is the new “baseline” threat model

This campaign is a reminder that “AI-augmented” doesn’t always mean “novel exploit.” Often it means faster, broader execution of known techniques. The organisations that reduce their risk fastest are the ones that close the obvious doors: exposed admin interfaces, weak credentials, missing MFA, flat networks, and untested recovery.

How Altiatech can help

If you want to reduce risk quickly (and prove it), we can support in practical phases:

• Perimeter exposure review: confirm what is internet-reachable, remove exposed management, implement safe admin paths, and validate remote access controls.
• Identity and privileged access uplift: MFA enforcement, privileged access controls, and credential hygiene hardening aligned to how your teams operate.
• Compromise readiness: logging and detection engineering for post-exploitation behaviours (including AD replication abuse patterns) and a clear response runbook.
• Backup and recovery resilience: backup segmentation, immutable backup design, and recovery testing so you can restore confidently under pressure.
• Managed support: ongoing monitoring, patching cadence, and posture reporting that stays current as environments change.
  

Speak to Altiatech about your next steps:

Email: innovate@altiatech.com



or call 0330 332 5842 (Mon–Fri, 9am–5:30pm).

Contact us: https://www.altiatech.com/contact