TL;DR

  • A single Russian-speaking threat actor used off-the-shelf AI tools to breach 600+ business firewalls across 55 countries in just five weeks [1]
  • No zero-day exploits were used — the attacks succeeded entirely because of exposed management interfaces, weak passwords, and missing MFA [1]
  • Every organisation with basic hardening in place was skipped — the attacker moved on to easier targets [2]
  • Three fixes cover 90%+ of the risk: enable MFA, stop exposing your firewall management port to the internet, and rotate default/reused credentials

When Amazon's threat intelligence team published their findings on February 20, 2026, the story that emerged was both alarming and, honestly, kind of reassuring [1].​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​‌‌​‍​​‌‌​​​​‍​​‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Alarming because one financially motivated attacker — possibly a single person — used commercially available AI tools to breach over 600 FortiGate firewalls across 55 countries between January 11 and February 18, 2026 [1][2]. That's a scale of operation that would previously have required a skilled team of dozens.

Reassuring because not a single zero-day exploit was used. This entire campaign ran on three basic security gaps that every business can close today.​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​‌‌​‍​​‌‌​​​​‍​​‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

How Did One Person Breach 600 Firewalls in 5 Weeks?

The attacker's method was more conveyor belt than heist. Amazon's CISO, CJ Moses, described it as "an AI-powered assembly line for cybercrime" [1].

Here's what the campaign looked like in practice:

Phase 1 — Find the unlocked doors. The attacker used AI-assisted Python scripts to automatically scan the internet for FortiGate management interfaces exposed on ports 443, 8443, 10443, and 4443. Management interfaces are like the admin console for your firewall — they're meant to be used internally, not left open to the whole internet [1][3].

Phase 2 — Try the obvious passwords. For any exposed interface found, the tools attempted login using commonly reused credentials. N

o sophisticated cracking — just the digital equivalent of trying "admin/admin" [2][3].

Phase 3 — AI writes the next move. Once inside, AI tools generated step-by-step attack plans, wrote reconnaissance scripts, and even helped plan how to move deeper into the victim's network [1][4]. Operational notes, written in Russian, detailed how to extract password hashes from Active Directory and target backup infrastructure as a precursor to ransomware [2].

Phase 4 — Move on if it's hard. Here's the key finding: when the attacker hit a target with proper security in place — MFA enabled, management ports closed, patched systems — they simply moved on. Amazon's report confirms this explicitly [1]. The AI didn't help them break through hardened defences. It helped them find and exploit the businesses that hadn't finished the job.

Related: How AI Phishing Attacks Work and How to Stop Them

What Information Was Stolen — and Why It Matters

When the attacker successfully breached a FortiGate device, they extracted the entire device configuration file [3]. For a business, this is the worst kind of breach because these files contain:

  • SSL-VPN user credentials (passwords in recoverable form)
  • Administrative credentials for the firewall itself
  • Complete internal network topology — a map of everything inside your organisation
  • Firewall policy rules revealing which systems are exposed and how
  • IPsec VPN configurations for connecting remote sites [2]

With this data, the attacker had everything needed to log into the business's internal network via VPN — bypassing the firewall entirely — and then work toward full domain compromise, credential harvesting, and ultimately ransomware deployment [1].

According to the 2026 Unit 42 Global Incident Response Report, identity weaknesses now play a material role in nearly 90% of investigated breaches, and once inside a network, attackers are moving from initial access to data exfiltration in as little as 72 minutes [5]. That's the window businesses have to detect and respond.

Why AI Changed the Game (and Why Basic Security Still Wins)

For years, the assumption was that sophisticated attacks required sophisticated attackers. The FortiGate campaign dismantles that assumption permanently.

The Unit 42 2026 report documents that AI is "compressing the attack timeline" and enabling actors with limited technical skills to operate "at a scale that would have previously required a significantly larger and more skilled team" [5]. Acronis corroborates this: 80% of ransomware groups are now actively promoting AI capabilities as core features of their operations [7].

What AI cannot do, however, is magic away a properly implemented MFA requirement, a firewall management interface that isn't internet-facing, or strong unique credentials. The attackers in this campaign made no attempt to break into hardened targets — they left them alone and found someone easier [1][2].

This is the practical takeaway: AI lowers the floor for attackers, but basic security hygiene raises your floor above where they bother to operate.

What Should Your Business Actually Do?

According to Amazon's threat intelligence recommendations [1] and CISA hardening guidance [9], three actions address the core of this attack vector:

1. Disable Internet-Facing Management Access on Your Firewall

Your firewall's admin console should only be reachable from inside your network or via a secure jump host. If you've never checked whether yours is exposed, your IT provider or a basic vulnerability scan can confirm this in minutes. This single step removes the primary attack surface used in this campaign [1][3].

2. Enable Multi-Factor Authentication on Everything — Start With VPN and Firewall Admin

MFA (multi-factor authentication) means that stolen credentials alone aren't enough to log in — the attacker also needs the second factor (an app code, hardware key, or SMS). The FortiGate campaign specifically targeted devices with single-factor authentication [1]. Enabling MFA on your VPN and admin access would have rendered the stolen credentials useless even if an attacker obtained them.

3. Audit and Rotate Your Firewall and VPN Credentials

Default credentials and reused passwords are the cheapest attack vector available. Conduct a credential audit: change any defaults, ensure VPN user passwords are not the same as domain (Windows) account passwords, and implement a rotation policy for admin accounts [1][2].

Related: Vendor Breach and Supply Chain Security: The SMB Guide

The Business Case for Doing This Now

IBM's 2025 Cost of a Data Breach Report puts the average breach cost at $4.88 million globally [6]. For small businesses specifically, the stakes are existential: Cybersecurity Ventures research shows that three out of five SMBs permanently close within six months of a significant breach [8].

The three fixes above don't require significant budget. MFA on most platforms costs nothing beyond configuration time. Removing internet-facing management access is a configuration change, not a procurement exercise. Credential auditing is a process, not a product.

What they do require is someone to actually check and confirm they're in place — because the FortiGate campaign is direct evidence that a meaningful number of businesses assumed they were protected but weren't.

FAQ

If your FortiGate management interface is accessible from the internet and your credentials are weak or shared without MFA, yes — your device would match the profile of targets in this campaign. The fix is to remove internet-facing management access and enable MFA. Check with your IT provider or run a quick external port scan to confirm your exposure status.

No. The FortiGate devices themselves weren't vulnerable in this campaign — the attackers didn't exploit any software flaw. They exploited configuration gaps (exposed ports, weak credentials, no MFA). The same firewall with proper configuration would have been skipped entirely [1][2].

The attack targeted FortiGate devices specifically, but the underlying technique — scanning for exposed management interfaces and attempting common credentials — applies to any network appliance from any vendor. Review your router, firewall, and VPN management access settings regardless of brand.

Ask your IT provider to run a scan of your public IP addresses, or use a tool like Shodan.io to check what ports are visible from the internet. Ports 443, 8443, 10443, and 4443 are the ones specifically targeted in this campaign [1][3].

A strong password is something you know. MFA adds something you have (an authentication app, a hardware key, or a one-time code sent to your phone). If an attacker steals your password — from a breach, phishing email, or by guessing — MFA means they still can't log in. It's the single most effective control for stopping credential-based attacks.

References

[1] C. Moses, "AI-augmented threat actor accesses FortiGate devices at scale," AWS Security Blog, Feb. 20, 2026. [Online]. Available: https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/

[2] L. Abrams, "Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks," BleepingComputer, Feb. 21, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/

[3] The Hacker News, "AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries," The Hacker News, Feb. 2026. [Online]. Available: https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html

[4] Bloomberg Technology, "Hackers Used AI to Breach 600 Firewalls in Weeks, Amazon Says," Bloomberg, Feb. 20, 2026. [Online]. Available: https://www.bloomberg.com/news/articles/2026-02-20/hackers-used-ai-to-breach-600-firewalls-in-weeks-amazon-says

[5] Palo Alto Networks Unit 42, "2026 Unit 42 Global Incident Response Report," Palo Alto Networks, 2026. [Online]. Available: https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] Industrial Cyber, "Acronis report finds 80% of ransomware groups promote AI features as phishing and automation scale operations," Industrial Cyber, Feb. 2026. [Online]. Available: https://industrialcyber.co/ransomware/acronis-report-finds-80-of-ransomware-groups-promote-ai-features-as-phishing-and-automation-scale-operations/

[8] Cybersecurity Ventures, "Why Small Businesses Can't Afford To Ignore Cyberinsurance," Cybersecurity Ventures, 2026. [Online]. Available: https://cybersecurityventures.com/why-small-businesses-cant-afford-to-ignore-cyberinsurance/

[9] CISA, "Known Exploited Vulnerabilities Catalog," U.S. Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[10] Veeam Software, "CVE-2024-40711 Security Advisory," Veeam, 2024. [Online]. Available: https://www.veeam.com/kb4649

Is your firewall hardened against AI-augmented credential attacks? lilMONSTER offers rapid security assessments that check exactly this — management interface exposure, MFA coverage, and credential hygiene — in a single engagement. Book a consultation at lil.business →

TL;DR

  • A hacker used AI (like the kind that writes emails and does homework) to break into 600 business security systems in 5 weeks
  • They didn't do anything fancy — they just found businesses who left the door unlocked
  • Businesses who had basic locks in place were completely skipped
  • Three simple fixes cover you: turn on two-step login, close the back door, and change your password

Imagine Your Business Has a Security Guard Booth

Your firewall is like a security guard booth at the entrance to your business. The guard checks everyone coming in and only lets in the right people.

Now imagine that some businesses left a side door to the guard booth wide open — facing the street — with a sign that says "Admin Office." And the door was unlocked, with the default password still set to "password123."

That's basically what happened to 600 businesses in January and February 2026.

A hacker (possibly just one person) used AI tools to do something that used to require a whole team: scan millions of internet addresses, find which businesses had left that guard booth door open, and try the most common passwords until one worked [1][2].

The AI handled the boring, repetitive stuff — like having a robot try every door handle on a massive street in seconds, rather than one person walking for weeks.

What Did They Actually Steal?

Once they got into the guard booth, they found the filing cabinet with all the keys [2][3].

Inside the firewall's configuration file:

  • Passwords to get into the business's private network (like a back door key)
  • A full map of the business's internal computer network
  • Admin passwords to control the security system itself

With these, they could log into the business's private systems remotely — as if they worked there — and quietly set up for a ransomware attack. (Ransomware is when a criminal locks all your computers and demands money to unlock them.)

The Good News Buried in This Story

Amazon, who discovered this attack, found something really important: every business that had basic security in place was completely left alone [1].

The hacker didn't try hard. If a door was locked — if the business had MFA turned on, or the guard booth wasn't visible from the street — the AI just moved to the next target [1][2].

This is actually great news for your business. You don't need to be the most secure business in the world. You just need to be more secure than the ones that did nothing.

Think of it like this: two houses are being checked by a thief. One has a deadbolt, a chain, and a security light. The other left the key under the mat. The thief doesn't break down the deadbolt. They take the key.

Three Fixes You Can Do This Week

These are the actual things that would have protected every single one of those 600 businesses:

Fix 1: Enable Two-Step Login (MFA) on Your VPN and Firewall Admin

Two-step login (also called multi-factor authentication or MFA) means that even if someone steals your password, they still can't get in — they'd also need a code from your phone. This is free on most platforms. Ask your IT person to turn it on everywhere, starting with remote access (VPN) and firewall administration.

Fix 2: Make Sure Your Firewall Admin Page Isn't Visible From the Internet

Your firewall's admin settings page should only be accessible from inside your office — not from the internet. Ask your IT provider: "Can someone access our firewall admin interface from outside our network?" If yes, that needs to close. This is the specific door the attackers exploited [1][3].

Fix 3: Change Any Default or Reused Passwords on Your Network Equipment

Routers, firewalls, and network switches often come with default passwords. Change them. Also make sure VPN login passwords are different from regular Windows/email passwords — if one gets stolen, you don't want it to unlock everything else [1][2].

What This Means for Protecting What You've Built

You don't need fancy, expensive security tools to close these gaps. You need someone to check three things and confirm they're locked.

At lil.business, this is exactly the kind of rapid security checkup we do — look at what's exposed, find the unlocked doors, and fix them before someone finds them for you.

Book a quick security checkup at lil.business — we'll tell you exactly what needs fixing, in plain language.

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

References

[1] C. Moses, "AI-augmented threat actor accesses FortiGate devices at scale," AWS Security Blog, Feb. 20, 2026. [Online]. Available: https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/

[2] L. Abrams, "Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks," BleepingComputer, Feb. 21, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/

[3] The Hacker News, "AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries," The Hacker News, Feb. 2026. [Online]. Available: https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation