Imagine hiring a hacker who doesn’t know what he’s doing – but has access to an AI that more than makes up for his lack of skills. That’s exactly what happened when a Russian-speaking attacker got into over 600 firewalls in just five weeks. And the scary news is that it really didn’t take much skill to succeed.
How it all started
The security team at Amazon Web Services, Amazon Threat Intelligence, stumbled upon an ongoing attack campaign during routine threat monitoring that lasted from January 11 to February 18, 2026. A Russian-speaking actor had managed to compromise more than 600 Fortigate firewalls across over 55 countries – including the Nordic countries.
What makes the story even more striking is that the hacker did not exploit any advanced security vulnerabilities in the Fortigate system. No, it was something much simpler and more embarrassing: weak passwords and firewalls whose management interfaces were open to the internet. It’s roughly like leaving the key in the door and then being surprised that someone walked in.
AI as a turbo engine for a mediocre hacker
What sets this attack apart from previous campaigns is that the attacker used at least two commercial AI services, including a tool based on Google’s Gemini. The AI served as a sort of all-knowing assistant that helped in every phase of the attack – from planning the intrusion, writing code, to moving further into the networks.
Amazon describes the incident as an AI-powered production line for cybercrime. The attacker had low to medium technical skill on their own but managed with AI assistance to achieve what would normally require an entire team of skilled hackers. You could say AI democratized the hacking profession – unfortunately in a way no one wanted.
The attacker’s own operational documents were also openly available on the same infrastructure as the tools, completely unencrypted. This gave Amazon full insight into the methods – like finding a burglar’s meticulously detailed diary at the crime scene.
What the hacker actually did when he got in
Once the attacker had gained access via VPN to the victim’s network, an automated reconnaissance tool written in Go and Python was run – with clear signs of having been generated by AI. The tool mapped the network, identified domain controllers and looked for vulnerabilities.
Afterwards, the attacker tried to compromise Active Directory using well-known tools such as Mimikatz and Meterpreter, extract complete password databases and access backup infrastructure – a classic prelude to a ransomware attack. In at least one case, an administrator account with a plaintext password was found. Try not to laugh.
Despite successes, the attacker repeatedly failed against hardened environments. When standard attacks did not work, the actor simply chose to move on to an easier target instead of trying to solve the problem creatively. AI can plan, but it cannot improvise like an experienced security expert.
Nordic countries were also affected
The geographical spread of the attack was wide and opportunistic rather than targeted at specific industries. Concentrations of compromised devices were found in South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. The Nordic countries are explicitly mentioned as affected, which means that Swedish and Scandinavian organizations running Fortigate firewalls with exposed management interfaces may have been impacted.
How to protect yourself from AI-enhanced attacks
The reassuring part of it all – and it is a strange kind of comfort – is that basic security measures actually worked. The attacker consistently failed against organizations with strong passwords, MFA, and properly hardened environments. So this is not about buying expensive new systems but about actually doing what you always knew you should do.
Concrete actions recommended by AWS include closing the firewalls’ management interfaces to the internet, replacing all default and common passwords on Fortigate devices, enabling multi-factor authentication for all VPN and administrator access, rotating SSL-VPN users’ passwords, and reviewing VPN logs for connections from unusual geographic locations.
In addition, Active Directory environments should be reviewed for unusual replication operations, and backup servers should be isolated from the general network and patched against known vulnerabilities.
The future looks even darker
Amazon Threat Intelligence is clear that this type of AI-augmented attacks are expected to increase during 2026. The threshold for carrying out sophisticated cyberattacks is lowering as AI tools become better and more accessible. What previously required a team of specialists can now be done by a single actor with limited technical skills but access to the right AI tools.
In other words: the security landscape is fundamentally changing, and organizations that do not take basic security hygiene seriously will become easy targets – regardless of how skilled the attacker is.
