AWS threat intelligence reveals a Russian-speaking attacker with "low-to-medium" skill used DeepSeek and Claude Code to compromise over 600 FortiGate devices in five weeks. No zero-days were needed -- just weak passwords and two AI assistants.
By LDS Team
February 26, 2026
On February 20, 2026, Amazon Web Services published one of the most detailed threat intelligence reports in recent memory. Written by CJ Moses, CISO of Amazon Integrated Security, the report documented a five-week hacking campaign that compromised more than 600 FortiGate firewall devices across 55 countries. The attacker was not a state-sponsored group. They were not a professional cybercriminal syndicate. According to AWS's assessment, they were a suspected financially motivated individual -- or at most a very small group -- with "low-to-medium" baseline technical capability, significantly augmented by AI.
What made them dangerous was not skill. It was tooling. AWS's report referenced the use of "at least two distinct commercial large language model providers" without naming them. Independent researchers at Cyber and Ramen, who published their own analysis of the attacker's exposed server on February 21, identified the specific tools: DeepSeek for attack planning and Anthropic's Claude Code for autonomous execution. The AI did not just suggest commands. It ran them -- executing Impacket, Metasploit, and hashcat without human approval for each step. Over 200 files were found in directories named _claude-0 and _claude, the operational output of an AI agent that had been configured to hack on autopilot.
The campaign ran from January 11 to February 18, 2026. The attacker's own server was misconfigured, exposing 1,402 files to the open internet -- which is how the operation was uncovered.
What Was Compromised
The scale of the breach is significant not because of what was stolen, but because of how little effort it took.
The attacker targeted FortiGate firewalls -- network security appliances manufactured by Fortinet that sit at the perimeter of corporate and government networks. These devices are designed to be the first line of defense. In this case, they were the entry point.
| Metric | Detail |
|---|---|
| Devices compromised | 600+ FortiGate firewalls |
| Countries affected | 55+ |
| Targets scanned | 2,516 across 106 countries |
| Campaign duration | January 11 -- February 18, 2026 (~5 weeks) |
| Attack method | Weak credentials + exposed management interfaces |
| Vulnerabilities exploited | None -- no CVEs, no zero-days |
| Attacker profile | Russian-speaking, financially motivated, low-to-medium skill |
The critical detail: no FortiGate vulnerability was exploited. The attacker did not use any of the dozens of known Fortinet CVEs. Every single compromise came through default or weak credentials on management interfaces that were exposed directly to the internet. The firewalls were not broken. They were left unlocked.
Worth noting: FortiGate devices have had a troubled security history -- Fortinet has disclosed over 200 CVEs affecting its products since 2019, including critical ones like CVE-2024-55591 and CVE-2024-47575 that were actively exploited in the wild. But this attacker did not need any of them. The attack surface was far more basic: passwords that were never changed and admin panels that should never have been internet-facing.
How AI Was Weaponized
The attacker's AI pipeline was built in layers. Each tool had a specific role, and together they formed what AWS described as an AI-augmented attack infrastructure. The specific AI services were identified by Cyber and Ramen's forensic analysis of the exposed server files.
DeepSeek handled the strategy. The attacker used DeepSeek, the Chinese AI model that drew scrutiny in early 2025 for its security vulnerabilities and data handling practices, to generate attack plans. DeepSeek produced reconnaissance strategies, suggested exploitation techniques, and helped the attacker think through lateral movement options. It was the architect.
Claude Code handled the execution. Anthropic's agentic coding tool was configured to operate with minimal human oversight. A settings.local.json file found on the exposed server showed Claude Code pre-approved to run offensive security tools -- including Impacket (specifically secretsdump.py, psexec.py, wmiexec.py) for Windows credential attacks, Metasploit for exploitation, and hashcat for password cracking -- autonomously, without requiring human confirmation for each command. Over 200 operational files were found in directories named _claude-0 and _claude on the attacker's server. These were the artifacts of an AI agent executing attack sequences on its own.
The ARXON MCP Server bridged them together. The attacker built a custom Python-based server using the Model Context Protocol (MCP) -- an open standard designed by Anthropic to let AI models interact with external tools and data sources. The attacker repurposed it as a bridge between reconnaissance data and the AI models. The ARXON server ingested scan results, formatted them for the LLMs, and fed back actionable intelligence.
CHECKER2 orchestrated the scanning. A Go-based Docker orchestrator, CHECKER2 automated parallel scanning operations across thousands of targets. It processed 2,516 potential targets across 106 countries, identifying which FortiGate devices had exposed management interfaces and weak credentials.
Worth noting: AWS's analysis found telltale signs that much of the attacker's custom tooling was itself AI-generated. The code contained characteristic patterns -- redundant comments that merely restated function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization, and empty documentation stubs. The attacker used AI to build the tools that would let AI conduct the attacks.
The Attacker's Evolution
One of the most striking findings in AWS's report is how rapidly the attacker's capabilities evolved. This was not a static campaign. It was iterative.
The evolution from HexStrike to ARXON took roughly eight weeks. An attacker who started with basic scripting skills ended with a semi-autonomous AI-driven attack platform capable of compromising hundreds of devices across dozens of countries. As AWS noted, the attacker achieved an operational scale that would have previously required a significantly larger and more skilled team.
How It Was Discovered
The attacker made a critical mistake. Their operational server, hosted at IP address 212.11.64.250 on port 9999, was misconfigured. It was running an open directory -- meaning anyone who navigated to that address could browse the server's contents like a file explorer.
AWS and independent researchers at Cyber and Ramen (who published their own analysis on February 21, 2026) found 1,402 files across 139 subdirectories exposed on that server, including:
- Source code for the ARXON MCP server and CHECKER2 orchestrator
- Attack logs documenting every compromised device
- AI conversation histories showing exactly how DeepSeek and Claude Code were used
- Credential databases containing harvested usernames and passwords
- Configuration files revealing the attacker's full infrastructure
The operational security failure was total. The attacker built a sophisticated AI-driven attack pipeline but forgot to password-protect their own server. It is the cybersecurity equivalent of building an impenetrable vault and leaving the blueprints taped to the front door.
Both AWS and Cyber and Ramen identified Russian-language artifacts throughout the server -- file names, comments in code, and error messages that pointed to a Russian-speaking operator. The financial motivation was evident from the types of access being established: VPN accounts on corporate firewalls, which can be sold on dark web marketplaces or used for ransomware deployment.
This Is Part of a Pattern
The FortiGate campaign is not an isolated incident. It is the third major documented case of AI being weaponized for cyberattacks in less than four months.
| FortiGate Mass Compromise | Mexico Government Breach | China Campaign (GTG-1002) | |
|---|---|---|---|
| When | Jan -- Feb 2026 | Dec 2025 -- Jan 2026 | Late 2025 |
| Attacker | Russian-speaking individual/small group | Single unknown individual | Chinese state-sponsored group |
| AI tools | DeepSeek + Claude Code (agentic) | Claude (consumer) + ChatGPT | Claude Code (agentic) |
| Skill level | Low-to-medium | Low-to-medium | State-sponsored (high infrastructure) |
| Scale | 600+ devices, 55+ countries | 9 agencies, 150GB stolen | ~30 organizations targeted |
| Attack method | Weak credentials, exposed interfaces | Jailbroken AI + vulnerability scanning | Decomposed tasks into innocuous-seeming requests |
| AI's role | Autonomous scanning, exploitation, credential harvesting | Vulnerability discovery, exploit writing, attack planning | ~80-90% of campaign execution |
| How discovered | Attacker's server misconfigured | Conversation logs left publicly accessible | Anthropic's internal detection |
The pattern is consistent: attackers with limited technical skills are using AI to punch far above their weight. The Mexico hacker needed only a subscription and well-crafted prompts. The FortiGate attacker needed DeepSeek, Claude Code, and eight weeks to evolve from basic scripts to a mass-compromise platform.
Worth noting: CrowdStrike's 2026 Global Threat Report found that operations by AI-enabled adversaries surged 89% year-over-year. The average eCrime breakout time -- how long it takes an attacker to move from initial access to lateral movement -- dropped to 29 minutes (65% faster than 2024), with the fastest observed at just 27 seconds. AI is not just making attacks more frequent. It is making them faster.
The Uncomfortable Questions
AWS's report raises several questions that the cybersecurity industry has been slow to answer.
Why were 600+ FortiGate management interfaces exposed to the internet? Fortinet's own security guidelines explicitly recommend restricting management access to trusted internal networks. Every compromised device violated this basic principle. The attacker did not need to be sophisticated because the targets were not configured to resist even unsophisticated attacks.
How should AI companies handle dual-use capabilities? Claude Code is designed to be a powerful development tool. The same capabilities that let it write, test, and execute code for legitimate developers let this attacker run Impacket and Metasploit autonomously. The Model Context Protocol that Anthropic built to help AI interact with external tools was repurposed to feed attack data into LLMs. The line between productive tool and attack platform is the user's intent -- and intent is difficult to verify programmatically.
What is the patch gap doing to network security? The industry average time to exploit a newly disclosed vulnerability is now 5 days. The average time to patch is 60 to 90 days. That gap -- where attackers move in days and defenders move in months -- is where campaigns like this one thrive. The FortiGate attacker did not even need to exploit vulnerabilities, but the same organizations that left management interfaces exposed are unlikely to be patching quickly either.
Who is responsible for the AI-generated tooling? The ARXON MCP server and CHECKER2 orchestrator showed clear signs of being AI-generated code. The attacker used AI to build attack tools, then used AI to operate them. At what point does the AI provider bear responsibility for the downstream use of code their models produce?
How the Industry Responded
AWS published the full threat intelligence report through a blog post by CJ Moses, CISO of Amazon Integrated Security, including indicators of compromise (IOCs), the attacker's server IP, and detailed technical analysis of the tooling. AWS characterized the report as a community service, noting that the exposed server provided a rare unfiltered look at how AI-assisted attacks actually work in practice.
Fortinet has faced mounting pressure over its vulnerability disclosure practices. The company has been criticized for silently patching critical vulnerabilities without public disclosure, sometimes leaving customers unaware that their devices were actively being exploited. In January 2026, Fortinet acknowledged that attackers had been exploiting FortiGate firewalls using a combination of known vulnerabilities (CVE-2024-55591 and CVE-2023-27997) and, separately, that threat actors were creating rogue admin accounts through exposed management interfaces -- precisely the technique documented in the AWS report.
Anthropic has not publicly commented on this specific campaign as of this writing. The company has previously stated that Claude Code includes safeguards against misuse and that it actively monitors for malicious activity. In November 2025, Anthropic disclosed the GTG-1002 Chinese espionage campaign, demonstrating that it does detect and disrupt some AI-assisted attacks. Whether the FortiGate attacker's use of Claude Code was detected before AWS's public report remains unclear.
DeepSeek has not responded to inquiries about its role in the campaign. The Chinese AI company has faced persistent scrutiny over its security practices -- including a January 2025 incident where Wiz Research discovered a publicly accessible ClickHouse database exposing over one million lines of log streams containing chat history, API secrets, and backend operational metadata.
The Bottom Line
A hacker with basic skills and two AI assistants compromised more than 600 network security devices across 55 countries in five weeks. They did not exploit a single vulnerability. They tried default passwords on firewalls that should never have been reachable from the internet in the first place.
The AI made the difference between what this attacker could have done alone -- manually testing credentials on a handful of devices -- and what they actually accomplished: building a scanning platform that processed 2,516 targets across 106 countries, with autonomous exploitation and credential harvesting running on autopilot.
AWS's report framed AI as a "force multiplier" -- a section heading that captures the dynamic precisely. The attacker's skill did not change. Their reach did. DeepSeek provided the strategy. Claude Code provided the execution. The ARXON MCP server connected them. And roughly eight weeks of iterative development -- much of it AI-assisted -- turned an unsophisticated operator into a global threat.
The most alarming detail is not the scale. It is the trajectory. The attacker started with crude tools in early January and was running a semi-autonomous attack platform by mid-February. That learning curve -- compressed by AI from months or years to weeks -- is what keeps threat researchers up at night. The next attacker will start where this one left off.
And they will not make the mistake of leaving their server open.
Sources
- AWS Security Blog: AI-Augmented Threat Actor Accesses FortiGate Devices at Scale (Feb 20, 2026)
- Cyber and Ramen: LLMs in the Kill Chain -- Inside a Custom MCP Targeting FortiGate Devices (Feb 21, 2026)
- CrowdStrike 2026 Global Threat Report (Feb 2026)
- Fortinet PSIRT Advisory: FortiOS -- Authentication Bypass on Administrative Interface (CVE-2024-55591) (Jan 2026)
- BleepingComputer: Fortinet Warns of Auth Bypass Zero-Day Exploited to Hijack Firewalls (Jan 2026)
- Anthropic: Disrupting AI-Orchestrated Cyber Espionage (GTG-1002 disclosure) (Nov 13, 2025)
- Wiz Research: DeepSeek Database Exposed -- Sensitive Information Including Chat History (Jan 2025)
- SecurityWeek: Cyber Insights 2026 -- Malware and Cyberattacks in the Age of AI (2026)
- Bloomberg: Hacker Used Anthropic's Claude to Steal Sensitive Mexican Data (Feb 25, 2026)
- Fortinet: FortiGuard PSIRT Advisories (Ongoing)
- Anthropic: Model Context Protocol Specification (2025)