The investigation into the Amazon AI Cyberattack showed that attackers obtained control over more than 600 devices, which extended across 55 countries. According to the latest Amazon Threat Intelligence Report, the campaign ran from January 11 to February 18.
The attackers did not exploit advanced vulnerabilities. Instead, they targeted exposed management ports and weak, single-factor authentication settings.
The report shows how AI in cybercrime is reshaping threat operations. Commercially available AI tools were used to generate attack scripts, automate reconnaissance, and plan lateral movement inside networks. CJ Moses, Amazon CISO, stated that no FortiGate software vulnerabilities were exploited. Rather, “fundamental security gaps” allowed a low-to-medium-skilled actor to scale attacks rapidly. When stronger defenses were detected, the attackers shifted to easier targets, highlighting efficiency over sophistication.
After breaching firewalls, the attackers extracted full device configurations. This includes SSL-VPN credentials, administrative passwords, and network maps. Stolen credentials enabled deeper intrusions into internal systems, including Active Directory environments and backup infrastructure.
Amazon researchers found that the observed activity matched pre-ransomware staging activities. This indicates they are intended to prepare for forthcoming extortion campaigns instead of launching immediate system disruptions.
The campaign did not rely on known CVEs but basic misconfigurations, which showed that cybersecurity hygiene gaps continue to exist. The research results show that AI enables threat actors to access their targets more quickly while increasing their operational capabilities.
Amazon has shared indicators of compromise with partners and urged organizations to secure edge devices, enforce multi-factor authentication, and monitor post-exploitation activity. The defensive strategies of organizations need to develop at the same rate as AI adoption in their operations.