Amazon says Russian-speaking hacker used AI to hit one of world's most deployed network firewalls in 5 weeks

Representative Image

Amazon Threat Intelligence has revealed that a single “unsophisticated” attacker has compromised more than 600 organisations across 55 countries in just over a month. According to the company's findings, the campaign ran from January 11 to February 18, 2026, and targeted FortiGate firewalls – some of the most common security devices used by businesses worldwide. The hacker didn’t use any complex “zero-day” exploits or secret software flaws. Instead, they used commercial AI tools to automate the “grunt work” of cybercrime.“This investigation highlights how commercial AI services can lower the technical barrier to entry for offensive cyber capabilities. The threat actor in this campaign is not known to be associated with any advanced persistent threat group with state-sponsored resources. They are likely a financially motivated individual or small group who, through AI augmentation, achieved an operational scale that would have previously required a significantly larger and more skilled team,” the company said.“Yet, based on our analysis of public sources, they successfully compromised multiple organizations’ Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, a potential precursor to ransomware deployment. Notably, when this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting, underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill,” it added.

How AI powered the attack

Amazon researchers described the operation as an “AI-powered assembly line”. While the hacker appeared to have limited technical skills, they used multiple commercial AI services (including tools like Claude and DeepSeek) to act as their “staff.”According to the investigation, the AI was used for:Attack planning: Generating step-by-step instructions for moving through a victim’s network.Code generation: Writing custom scripts in Python and Go to steal passwords and map out internal systems.Operational assistance: Scaling well-known attack techniques so that one person could do the work of a whole team.

About the AuthorTOI Tech Desk

The TOI Tech Desk is a dedicated team of journalists committed to delivering the latest and most relevant news from the world of technology to readers of The Times of India. TOI Tech Desk’s news coverage spans a wide spectrum across gadget launches, gadget reviews, trends, in-depth analysis, exclusive reports and breaking stories that impact technology and the digital universe. Be it how-tos or the latest happenings in AI, cybersecurity, personal gadgets, platforms like WhatsApp, Instagram, Facebook and more; TOI Tech Desk brings the news with accuracy and authenticity.

End of Article