Amazon’s threat intelligence team has unveiled a sophisticated, multi-year Russian state-sponsored cyber espionage campaign meticulously targeting Western critical infrastructure. Between 2021 and 2025, the Russian Main Intelligence Directorate (GRU), also known by threat actor names like APT44 and Sandworm, engaged in persistent attacks aimed at energy sector organizations and cloud-hosted network infrastructure across North America and Europe. This disclosure highlights a concerning shift in Russian cyber tactics, prioritizing misconfigured network edge devices over traditional vulnerability exploitation.
Russian Gru Campaign Targets Western Critical Infrastructure
The campaign, attributed with high confidence to Russia’s GRU, primarily focused on compromising misconfigured customer network edge devices with exposed management interfaces. This approach, as detailed by Amazon’s security chief CJ Moses, allows the actors to achieve credential harvesting and lateral movement within victim networks while minimizing their own exposure and resource expenditure. The GRU’s objective appears to be the strategic positioning of themselves at the network perimeter to intercept sensitive data in transit.
Exploitation of Network Edge Devices and Vulnerabilities
Over the five-year period, the threat actor’s tactics evolved. In 2021-2022, exploitation of a WatchGuard Firebox and XTM vulnerability (CVE-2022-26318) was observed alongside the continued targeting of misconfigured edge devices. The following year, the focus expanded to include exploitation of Atlassian Confluence flaws (CVE-2021-26084 and CVE-2023-22518), while misconfigured edge devices remained a persistent entry point. By 2024, a Veeam vulnerability (CVE-2023-27532) was leveraged, with the targeting of misconfigured edge devices continuing into 2025.
The intrusion activity specifically targeted enterprise routers and routing infrastructure, VPN concentrators, remote access gateways, network management appliances, collaboration platforms, and cloud-based project management systems. These targets are critical for maintaining the functionality and security of essential services.
Analysis of network connection data revealed that actor-controlled IP addresses established persistent connections to compromised EC2 instances running customer network appliance software on Amazon Web Services (AWS). This suggests interactive access and data retrieval across multiple affected instances, indicating a deep level of compromise.
Credential Harvesting and Replay Attacks
A key element of the GRU’s strategy involves credential harvesting from intercepted network traffic. These stolen credentials are then used in replay attacks against victim organizations’ online services and infrastructure, aiming to gain a more profound foothold within targeted networks. While Amazon noted these specific replay attempts were assessed as unsuccessful, they underscore the potential for follow-on attacks using compromised credentials.
The entire attack chain as observed by Amazon includes compromising the customer network edge device hosted on AWS, leveraging native packet capture capabilities to gather credentials, replaying these credentials against victim services, and establishing persistent access for lateral movement.
These credential replay operations have impacted entities in the energy, technology/cloud services, and telecommunications sectors across North America, Western and Eastern Europe, and the Middle East. The sustained focus on the energy sector supply chain, encompassing both direct operators and third-party service providers, highlights the strategic importance of this sector to the GRU.
Broader Campaign and Future Implications
Interestingly, the identified intrusion set shares infrastructure overlaps with another cluster tracked by Bitdefender as “Curly COMrades,” which is believed to be operating in alignment with Russian interests. This overlap suggests a potential division of labor within a broader GRU campaign, where different sub-clusters specialize in specific operational phases like network access and host-based persistence.
Amazon has taken steps to notify affected customers and has disrupted ongoing threat actor operations targeting its cloud services. Organizations are strongly advised to audit their network edge devices for unexpected packet capture utilities, implement robust multi-factor authentication, and diligently monitor for authentication attempts originating from unusual geographic locations. Staying vigilant for credential replay attacks remains a critical defensive measure against evolving state-sponsored threats.
Moving forward, the ongoing nature of this campaign and the GRU’s adaptive tactics necessitate continuous monitoring and proactive defense strategies from critical infrastructure providers. The potential for further evolution in their methods, particularly in exploiting misconfigurations and supply chain vulnerabilities, poses a persistent threat that demands sustained attention from cybersecurity professionals worldwide.