Russian hacker brute-forced FortiGate firewalls using weak credentials

AI-generated scripts enabled data parsing, reconnaissance, and lateral movement

The campaign targeted Veeam servers; attacker abandoned hardened systems

A Russian hacker was recently seen brute-forcing their way into hundreds of firewalls - but what makes this campaign really stand out is the fact that the seemingly low-skilled threat actor was able to pull off the attacks with the help of Generative Artificial Intelligence (GenAI).

In a new analysis, Amazon Integrated Security CISO CJ Moses explained how researchers observed a threat actor “systematically” scanning for exposed FortiGate management interfaces across ports 443, 8443, 10443, and 4443.

After finding a potential target, they brute-forced their way in, trying countless combinations of commonly used and weak credentials, until one worked.

A little rough around the edges

Once inside, the hacker extracted full device configuration files (SSL-VPN user credentials with recoverable passwords, administrative credentials, firewall policies and internal network architecture, and more) and parsed, decrypted, and organized them using AI-generated Python scripts.

They then used the recovered VPN credentials to connect to internal networks, deploying custom AI-generated reconnaissance tools (written in Go and Python) and moving to Active Directory.

"Analysis of the source code reveals clear indicators of AI-assisted development: redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization, and compatibility shims for language built-ins with empty documentation stubs,” Moses said.

"While functional for the threat actor's specific use case, the tooling lacks robustness and fails under edge cases—characteristics typical of AI-generated code used without significant refinement."

Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

The attacker also specifically targeted Veeam Backup & Replication servers, deploying credential extraction tools and attempting exploitation of known Veeam vulnerabilities.

All of this was done in a span of just a few weeks, between January 11 and February 18, 2026, leading the researchers to believe the attacker is rather unskilled - as throughout their operations, they tried exploiting various CVEs but largely failed when targets were patched or hardened. They frequently abandoned well-protected environments and moved on to easier targets.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.