AI-Assisted Hacker Breaches 600 Fortinet Firewalls Across 55 Countries

By Azhar Khan
AI-Assisted Hacker Breaches 600 Fortinet Firewalls Across 55 Countries

Amazon has reported that a Russian-speaking threat actor leveraged generative AI services to compromise more than 600 FortiGate firewalls across 55 countries within a five-week period. The campaign highlights how attackers are increasingly integrating AI tools into offensive operations to accelerate reconnaissance and exploitation.

The incidents primarily targeted internet-exposed FortiGate devices, exploiting known vulnerabilities to gain initial access.

AI-Driven Reconnaissance and Exploitation

According to Amazon’s findings, the attacker used generative AI tools to automate aspects of reconnaissance, vulnerability analysis, and scripting. By leveraging AI assistance, the threat actor was able to:

  • Identify vulnerable firewall instances at scale
  • Craft exploit variations and attack scripts
  • Accelerate credential harvesting efforts
  • Pivot to follow-on attacks

This approach significantly reduced the time and technical effort required to conduct widespread exploitation.

Credential Theft and Lateral Movement

Once inside compromised FortiGate devices, the attacker reportedly focused on credential extraction and reconnaissance. Stolen credentials could then be used to access internal systems, VPN accounts, or other enterprise resources.

Firewalls often serve as a gateway to internal networks, making their compromise particularly impactful.

Global Scope

The campaign spanned 55 countries, demonstrating both the scalability of AI-assisted attacks and the continued risk posed by unpatched or misconfigured network appliances.

Internet-facing security appliances remain a high-value target for threat actors due to their privileged position within enterprise environments.

Known Vulnerabilities Exploited

The breaches involved exploitation of previously disclosed FortiGate vulnerabilities. While patches were available, devices that had not been updated or properly secured were susceptible to compromise.

This reinforces the long-standing security challenge of delayed patching and exposed management interfaces.

Defensive Recommendations

Organizations using FortiGate devices should:

  • Immediately apply the latest firmware updates
  • Disable internet exposure of management interfaces where possible
  • Implement multi-factor authentication for administrative access
  • Monitor logs for unusual login attempts or configuration changes
  • Rotate credentials if compromise is suspected

AI as a Force Multiplier for Attackers

The incident underscores how generative AI can act as a force multiplier for cybercriminals, enabling faster exploitation cycles and broader attack campaigns. While AI tools themselves are not inherently malicious, their misuse lowers the barrier to conducting sophisticated operations.

As AI capabilities continue to evolve, security teams must anticipate adversaries incorporating automation and AI-assisted workflows into their tactics.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.