A Russian-speaking threat actor used AI to plan, manage and conduct cyberattacks on organizations with misconfigured firewalls in 55 countries in January and February, according to Amazon researchers.
The compromises of more than 600 Fortinet FortiGate devices, which occurred between Jan. 11 and Feb. 18, were notable in that they did not exploit any technical vulnerabilities, Amazon Web Services’s threat intelligence team explained in a Feb. 20 blog post.
“Instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale,” CJ Moses, the chief information security officer of Amazon Integrated Security, wrote in the blog post.
The hacker or hackers used multiple generative AI tools “to implement and scale well-known attack techniques throughout every phase of their operations, despite their limited technical capabilities,” Moses wrote.
Amazon does not believe the threat actor works for the Russian government, describing them instead as “a financially motivated individual or small group who, through AI augmentation, achieved an operational scale that would have previously required a significantly larger and more skilled team.”
The report represents the latest evidence that AI tools can help unsophisticated hackers pose serious threats to organizations running vulnerable or misconfigured devices or insecure software.
In this case, AI tools helped the threat actor break into multiple victims’ Active Directory environments, steal password databases and attempt to infect backup systems, which Amazon said could be a sign that they intended to launch a ransomware attack.
“Notably, when this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting,” Moses wrote, “underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill.”
Opportunistic campaign with automated help
The threat actor targeted organizations around the world, demonstrating little interest in particular countries or industries. The attacks’ only apparent common denominator was the victims’ use of internet-accessible FortiGate firewalls, devices that have been a frequent target of hackers in recent months. The files that configure these devices “represent high-value targets,” Moses wrote, because they store administrator account credentials, network design information and other sensitive data.
“The threat actor developed AI-assisted Python scripts to parse, decrypt, and organize these stolen configurations,” Moses wrote.
The code identified target networks, organized them by size, scanned ports to identify active services and used an open-source vulnerability scanner to create a prioritized target list.
Amazon determined that AI helped write the code because it bore common hallmarks of automated development, including “redundant comments that merely restate function names” and “simplistic architecture with disproportionate investment in formatting over functionality.”
The scripts worked, Moses wrote, but “the tooling lacks robustness and fails under edge cases—characteristics typical of AI-generated code used without significant refinement.”
The threat actor used two different AI tools for different purposes. One served as a general attack planner and code developer, while the other helped the threat actor pivot within compromised networks. When the attacker’s plans met resistance, Amazon said, they struggled to adapt, such as by writing new exploit code or debugging failed intrusion attempts — further evidence of their novice status.
Tips for fending off attacks
While nation-state groups and major cybercrime gangs receive the most attention, Amazon’s report highlights the fact that even unsophisticated actors can pose serious threats with AI’s help.
FortiGate users can take several steps to protect themselves, Amazon said, including disabling internet access unless absolutely necessary, changing default passwords, implementing multifactor authentication, scanning for unauthorized configuration changes and reviewing VPN connection logs for connections from unexpected places.
Amazon also listed potential signs of exploitation for which organizations could search, including unauthorized access to backup systems and new user accounts and scheduled tasks designed to resemble legitimate Windows activity.
Organizations should also isolate their backup infrastructure from main networks to ensure they always have a fallback plan insulated from potential cyberattack disruptions, Amazon said.
