A Low-Skill Hacker Used Claude and DeepSeek to Breach 600 Firewalls in Five Weeks

Amazon's threat intelligence team has exposed a campaign in which a single Russian-speaking hacker - described as having low-to-medium technical skill - used commercial AI tools including Anthropic's Claude and DeepSeek to breach over 600 FortiGate firewalls across 55 countries in just five weeks. The campaign, which ran from January 11 to February 18, 2026, required no zero-day exploits. Instead, the attacker leaned on AI to do what they couldn't do alone: plan attacks, prioritize targets, generate vulnerability assessments, and automate lateral movement across compromised networks.


What	A single threat actor used Claude, DeepSeek, and custom AI tooling to compromise 600+ Fortinet firewalls in 55 countries
How	No zero-days - just exposed management ports, weak passwords, and AI-generated attack plans
AI tools	ARXON (MCP-based Python server feeding stolen data to LLMs) and CHECKER2 (Go-based parallel scanner)
Scale	2,516 targets across 106 countries scanned; 600+ breached; 1,402 files found on exposed attacker server
Post-breach	Full config extraction, AD takeover via DCSync, Veeam backup targeting - consistent with pre-ransomware staging
The takeaway	AI didn't just lower the skill barrier for hacking - it functionally removed it

The Attack: No Exploits, Just AI and Bad Passwords

The campaign's initial access method was almost embarrassingly simple. The attacker scanned the internet for Fortinet FortiGate management interfaces exposed on common ports - 443, 8443, 10443, and 4443 - then launched brute-force password attacks against systems that lacked multi-factor authentication.

No sophisticated exploit chains. No zero-day vulnerabilities. Just exposed admin panels and commonly reused passwords.

Once authenticated, the attacker extracted full configuration backups containing SSL-VPN user credentials, LDAP bind accounts, IPsec VPN settings, firewall policies, internal network maps, and detailed routing information. A Python script exploiting CVE-2019-6693 then decoded Fortinet's ENC-formatted passwords, giving the attacker cleartext credentials to pivot deeper into victim networks.

ARXON and CHECKER2: The AI Kill Chain

What makes this campaign unprecedented is not the initial access technique - it's the systematic integration of commercial AI into every phase of the attack lifecycle.

The attacker built two custom tools that turned commercial LLMs into an autonomous offensive pipeline:

ARXON, a Python-based Model Context Protocol (MCP) server, functioned as the campaign's brain. It ingested stolen network data - routing tables, credential dumps, host inventories - and fed it to Claude and DeepSeek to generate step-by-step attack plans, prioritize high-value targets, and produce vulnerability assessments during live intrusions. An independent Japanese researcher at cyberandramen.net discovered folders labeled "claude" and "claude-0" on the attacker's exposed server, containing cached prompts and AI session artifacts - evidence of systematic AI integration rather than opportunistic use.

CHECKER2, a Docker-based Go tool, orchestrated parallel VPN endpoint scanning across the attacker's target list. Operational logs recovered from the exposed server showed 2,516 targets across 106 countries, spanning Northern Europe, South Asia, Southeast Asia, Latin America, the Caribbean, and West Africa. The targeting was opportunistic - not industry-specific - suggesting the attacker was casting the widest possible net.

From Firewall to Domain Admin

After the initial breach, AI continued to drive the operation. The attacker used AI-generated scripts to:

Classify networks by size and value using stolen routing tables
Run port scans with the open-source gogo scanner
Identify SMB hosts and domain controllers for Active Directory targeting
Execute Impacket tools (secretsdump.py, psexec.py, wmiexec.py) with hardcoded domain credentials pre-approved for autonomous execution

The post-exploitation playbook was textbook: BloodHound for Active Directory mapping, NTLM relay and DCSync attacks for full hash database extraction, and pass-the-hash and pass-the-ticket techniques for lateral movement. What wasn't textbook was having an LLM orchestrate the sequencing.

Targeting Backups: The Ransomware Precursor

Perhaps the most alarming finding was the attacker's aggressive targeting of backup infrastructure. Veeam Backup & Replication servers were specifically hunted using:

Exploit attempts for CVE-2024-40711 (Veeam remote code execution)
Exploit attempts for CVE-2023-27532 (Veeam information disclosure)
PowerShell scripts designed to extract stored backup credentials
QNAP NAS targeting via CVE-2019-7192

This behavior is consistent with pre-ransomware staging - destroying or encrypting backups before deploying ransomware to maximize leverage. The attacker was building the infrastructure for a large-scale extortion campaign.

The Irony: AI-Generated Code That Barely Works

Amazon's analysis revealed a telling paradox. The AI-generated tools were effective at scale but fragile under pressure. Researchers found redundant comments, simplistic architecture, naive JSON parsing, and poor error handling throughout the codebase - hallmarks of AI-generated code used without significant refinement.

When the attacker encountered properly hardened systems, the AI-assisted tools frequently failed. Operational notes, written in Russian, showed the actor simply abandoned difficult targets and moved to easier ones - a volume-over-precision strategy enabled by AI's ability to generate attack plans faster than the attacker could manually evaluate targets.

CJ Moses, Amazon's CISO, noted that the attacker "relied heavily on AI outputs" but lacked the expertise to adapt when those outputs failed. The campaign succeeded not because of skill but because of scale - and the sheer number of organizations running exposed, poorly configured firewalls.

What This Means for AI Security

This campaign is the clearest demonstration yet that commercial AI has fundamentally changed the threat landscape. A single individual with limited technical capability was able to:

Scan 2,500+ targets across 100+ countries
Breach 600+ enterprise firewalls
Extract credentials, map Active Directory environments, and stage for ransomware
Do it all in five weeks

The barrier to entry for large-scale cyber intrusions hasn't just been lowered - it's been functionally removed. The attacker's exposed server, discovered by independent researchers at IP address 212.11.64.250, contained 1,402 files across 139 directories: stolen firewall backups, credential dumps, vulnerability scans, and AI session artifacts documenting every step of the campaign.

For organizations running Fortinet equipment - or any internet-exposed management interface - the defensive recommendations are urgent and unambiguous:

Never expose management interfaces to the public internet
Enable MFA on all administrative and VPN accounts
Prevent VPN password reuse for Active Directory credentials
Harden backup infrastructure - Veeam servers are now primary targets
Audit SSH activity and new VPN account creation for signs of compromise

The AI safety debate has largely focused on hypothetical risks. This campaign makes the risk concrete: commercial LLMs are already being used as force multipliers for real-world cyberattacks, and the defenders are playing catch-up.

Sources: