Commercial AI services are enabling even unsophisticated threat actors to conduct cyberattacks at scale. This time, a Russian-speaking threat actor leveraged AI tools to compromise more than 600 Fortinet firewalls in a single month.
Amazon Threat Intelligence says it has observed a Russian-speaking, financially motivated threat actor leveraging multiple commercial generative AI services to compromise over 600 FortiGate devices across more than 55 countries from January 11th to February 18th.
According to the researchers, no exploitation of FortiGate vulnerabilities was detected. Instead, the campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication – fundamental security gaps that AI helped an unsophisticated actor exploit at scale.
Amazon’s investigation highlights how commercial AI services can lower the technical barrier to entry for offensive cyber capabilities.
“The threat actor in this campaign is not known to be associated with any advanced persistent threat group with state-sponsored resources,” the blog post says.
“They are likely a financially motivated individual or small group who, through AI augmentation, achieved an operational scale that would have previously required a significantly larger and more skilled team.”
Once they hacked into the devices, the attacker used a collection of scripts that Amazon researchers say were written by AI tools. Specific products aren’t named, but it looks like the threat actor used Claude and Deepseek.
According to researchers from Cyber and Ramen, Deepseek was used to create scripts for reconnaissance and to extract configurations from the hacked devices. Claude generated scripts for vulnerability assessments and ran offensive tools against the networks.
It’s widely expected that the trend of using AI tools for hacks will continue, of course, and it’s entirely possible that next time, they’ll be deployed by a far more skilled adversary.
The Amazon Threat Intelligence team has assessed this threat actor as Russian-speaking, based on “extensive Russian-language operational documentation.”
The general consensus within the cybersecurity community, however, is that the threat actor wasn’t particularly sophisticated. This seems to be another telling sign that AI tools were used.
The Cybernews community is talking about this. Be a part of the conversation.
“When this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting, underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill,” said Amazon researchers.
It’s widely expected that the trend of using AI tools for hacks will continue, of course, and it’s entirely possible that next time, they’ll be deployed by a skilled adversary. If that happens, damage could be far wider.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked