Key Findings

• Amazon's threat intelligence team has disclosed details of a "years-long" Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025.

• The activity has been attributed with high confidence to Russia's Main Intelligence Directorate (GRU), citing infrastructure overlaps with APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear.

• The campaign targeted energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure.

• The attacks leveraged misconfigured customer network edge devices with exposed management interfaces, as well as exploits for vulnerabilities in WatchGuard Firebox, Atlassian Confluence, and Veeam.

• The intrusion activity focused on enterprise routers and routing infrastructure, VPN concentrators, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.

• The threat actor's goal was to facilitate credential harvesting at scale and gain a strategic foothold on the network edge to intercept sensitive information in transit.

• Amazon identified and notified affected customers and disrupted active threat actor operations targeting its cloud services.

Background

The campaign attributed to the Russian GRU's cyber operations has been active since 2021, targeting critical infrastructure and cloud-hosted networks across Western nations. The threat actor has demonstrated a sustained focus on the energy sector supply chain, including both direct operators and third-party service providers with access to critical infrastructure networks.

Targeting Tactics and Techniques

The intrusion activity has evolved over the years, with the threat actor adapting its tactics to maintain effectiveness:

2021-2022

• Exploitation of WatchGuard Firebox and XTM flaw (CVE-2022-26318)

• Targeting of misconfigured edge network devices

2022-2023

• Exploitation of Atlassian Confluence flaws (CVE-2021-26084 and CVE-2023-22518)

• Continued targeting of misconfigured edge network devices

2024

• Exploitation of Veeam flaw (CVE-2023-27532)

• Continued targeting of misconfigured edge network devices

2025

• Sustained targeting of misconfigured edge network devices

Credential Harvesting and Lateral Movement

• The threat actor's intrusion activity focused on enterprise routers, VPN concentrators, network management appliances, collaboration platforms, and cloud-based project management systems.

• This enabled the actor to position themselves strategically on the network edge to intercept sensitive information in transit and facilitate credential harvesting at scale.

• Amazon observed credential replay attacks against victim organizations' online services as part of attempts to obtain a deeper foothold into targeted networks.

• The credential replay operations targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East.

Potential Operational Division with Curly COMrades

• The intrusion set shares infrastructure overlaps with another cluster tracked by Bitdefender under the name Curly COMrades, which is believed to be operating with interests aligned with Russia since late 2023.

• This has raised the possibility that the two clusters may represent complementary operations within a broader campaign undertaken by the GRU.

• The potential operational division, where one cluster focuses on network access and initial compromise while another handles host-based persistence and evasion, aligns with GRU operational patterns of specialized subclusters supporting broader campaign objectives.

Sources

• https://thehackernews.com/2025/12/amazon-exposes-years-long-gru-cyber.html

• https://www.instagram.com/p/DSVIVY1j0FX/

• https://nationalcioreview.com/articles-insights/extra-bytes/amazon-reveals-gru-cyber-campaign-on-cloud-and-energy-infrastructure/