AI-Assisted Threat Actor Compromises Major Financial Networks

Between January 11 and February 18, 2026, a Russian-speaking attacker exploited over 600 FortiGate devices across 55 countries using common AI tools, as observed by Amazon Threat Intelligence. The attacker, motivated by financial gain and not linked to any government, did not exploit new vulnerabilities but instead accessed systems through open management ports and weak credentials. Despite lacking advanced skills, the attacker leveraged AI to automate and scale their operations, creating attack plans, hacking tools, and commands.

The attack involved scanning the internet for FortiGate management pages and using common passwords to gain access. Once inside, the attacker targeted Active Directory systems, stole credentials, and aimed at backup systems, likely for ransomware purposes. The operation was described as an "AI-powered cybercrime factory," with AI tools enabling the attacker to perform tasks typically requiring a larger, more skilled team.

Amazon's analysis revealed that the attacker used a custom tool, with AI-assisted code, to gather information from compromised networks. The attacker often failed at more complex tasks, indicating reliance on automated, simple attacks. The campaign did not target specific industries, instead scanning broadly for vulnerable devices.

The attack highlights the growing trend of AI-assisted cybercrime, where even low-skilled hackers can execute large-scale attacks. Companies are advised to secure management interfaces, use strong authentication, and maintain updated systems to defend against such threats. The campaign also involved AI tools like DeepSeek and Anthropic Claude for creating attack plans and vulnerability assessments, with a server hosting numerous files and tools for exploitation.

The incident underscores the need for robust cybersecurity measures as AI continues to empower both skilled and unskilled attackers.

Stay secure — stay Wavasec. 🔐