- Russian hacker breached FortiGate firewalls using weak credentials
- AI-generated scripts enabled data analysis, recognition and lateral movements
- The campaign targeted Veeam servers; the attacker abandoned the hardened systems
A Russian hacker was recently seen hacking his way through hundreds of firewalls, but what really sets this campaign apart is the fact that the seemingly unskilled threat actor was able to carry out his attacks with the help of generative artificial intelligence (GenAI).
In a new analysis, Amazon Integrated Security CISO CJ Moses explained how researchers observed a threat actor “systematically” scanning exposed FortiGate management interfaces on ports 443, 8443, 10443, and 4443.
After finding a potential target, they forced their way in, trying countless combinations of commonly used and weak credentials, until one worked.
A little rough around the edges
Once inside, the hacker extracted the device’s complete configuration files (SSL-VPN user credentials with recoverable passwords, administrative credentials, firewall policies and internal network architecture, etc.) and analyzed, decrypted and organized them using AI-generated Python scripts.
They then used the retrieved VPN credentials to connect to internal networks, deploying custom AI-generated reconnaissance tools (written in Go and Python) and switching to Active Directory.
“Analysis of the source code reveals clear indicators of AI-assisted development: redundant comments that only rephrase function names, a simplistic architecture with a disproportionate investment in formatting versus features, naive JSON parsing via string matching rather than proper deserialization, and compatibility shims for embedded languages with empty documentation stubs,” Moses said.
“While functional for the threat actor’s specific use case, the tool lacks robustness and fails in edge cases, typical characteristics of AI-generated code used without significant refinement.”
The attacker also specifically targeted Veeam Backup & Replication servers, deploying credential extraction tools and attempting to exploit known Veeam vulnerabilities.
All of this was accomplished in the span of just a few weeks, between January 11 and February 18, 2026, leading researchers to believe that the attacker was not very skilled: throughout his operations, he attempted to exploit various CVEs, but largely failed when the targets were patched or hardened. They frequently abandoned well-protected environments and moved toward easier targets.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
