Key Findings:

• Russian state-sponsored threat actors linked to the GRU are increasingly breaching critical infrastructure networks by exploiting basic configuration mistakes rather than software vulnerabilities.

• The campaign has targeted energy providers and other critical infrastructure organizations across North America and Europe since at least 2021.

• The attackers focused on enterprise routers, VPN gateways, and network management appliances with exposed or poorly secured management interfaces, many of them in cloud environments.

• After gaining access, the group harvested user credentials and attempted to reuse them against victim organizations' online services.

• The campaign maintained a strong focus on the energy sector and its supply chain, including electric utilities, managed service providers, and supporting technology firms.

Background

Between 2021 and 2024, the attackers frequently relied on exploiting known and zero-day vulnerabilities to gain access. Amazon observed exploitation of flaws in WatchGuard firewalls, Atlassian Confluence, and Veeam backup software.

In 2025, that activity declined sharply and was replaced by sustained targeting of misconfigured network edge devices. Many of these devices were customer-owned appliances running in cloud environments, including on AWS.

Credential Harvesting and Replay Attacks

After gaining access, the group harvested user credentials and later attempted to reuse them against victim organisations' online services. Amazon assessed that credentials were likely collected through passive traffic interception using packet capture features on compromised devices.

Targeting Critical Infrastructure

The campaign maintained a strong focus on the energy sector and its supply chain, including electric utilities, managed service providers, and supporting technology firms. Targeting was observed globally, with activity across North America, Europe, and the Middle East.

Proxy Infrastructure

According to Amazon, the company also documented long-term use of compromised legitimate servers as proxy infrastructure by the group.

Recommendations

Amazon urged organisations to audit network edge devices, review authentication logs for credential reuse, and monitor administrative access from unexpected locations. For AWS environments, the company recommended restricting security group access, isolating management interfaces, enabling logging and threat detection services, and regularly scanning instances for exposure.

Sources

• https://hackread.com/amazon-russia-gru-hackers-misconfigured-vulnerabilities/

• https://securityonline.info/sandworms-tactical-pivot-russian-gru-abandons-zero-days-to-weaponize-misconfigured-edge-devices/

• https://www.securityweek.com/amazon-russian-hackers-now-favor-misconfigurations-in-critical-infrastructure-attacks/

• https://x.com/HackRead/status/2000990350278791417

• https://www.reddit.com/r/InfoSecNews/comments/1po8rn6/amazon_threat_intelligence_warns_russian_gru/