A financially motivated threat actor compromised more than 600 FortiGate devices across 55 countries. The campaign relied on commercial generative AI tools. It did not rely on new software vulnerabilities.
CJ Moses, CISO of Amazon Integrated Security, said the operation succeeded by targeting exposed management ports and weak credentials protected only by single-factor authentication.
According to Amazon Threat Intelligence, a Russian-speaking individual or small group used multiple commercial LLM services to scale established intrusion techniques across hundreds of targets.
The actor began with systematic scanning for internet-facing FortiGate management interfaces. They focused on ports 443, 8443, 10443 and 4443, identifying devices administrators had left publicly accessible. From there, they attempted authentication using reused, weak or default credentials.
Once inside, the attacker downloaded full FortiGate configuration files.
Those files contained SSL-VPN credentials with recoverable passwords, administrative account credentials, firewall policies, routing rules, network topology details and IPsec configurations.
Using AI-assisted Python scripts, the actor parsed and decrypted configuration files at scale. The scripts extracted credentials and mapped internal network structures.
According to Beinsure analysts, this shift compresses the time between initial access and operational control.
After mapping internal systems, the attacker moved laterally. Activity included Active Directory reconnaissance and DCSync operations using tools such as Meterpreter and Mimikatz to obtain NTLM password hashes.
With those hashes, the actor escalated privileges and widened control across compromised environments.
Backup infrastructure drew focused attention. Veeam Backup & Replication servers became priority targets because they often store privileged credentials and sit at the center of recovery operations.
By accessing backup systems, the actor gained additional credentials and weakened incident response options in the event of ransomware deployment.
The campaign did not display advanced exploit engineering. When systems were patched or hardened, the actor struggled.
Amazon researchers observed repeated failures against known vulnerabilities, including CVE-2019-7192 and CVE-2023-27532. Instead of developing new attack paths, the operator shifted toward softer targets.
We think the takeaway isn’t technical novelty. It’s scale. AI didn’t invent new tradecraft here. It accelerated old tactics, turning exposed ports and weak passwords into a global access pipeline.
