Attackers linked to Russia’s GRU have intensified their targeting of Western critical infrastructure, with a particular focus on the energy sector, as part of an ongoing campaign that began in 2021. The shift in tactics indicates a strategic evolution by the sophisticated threat group.
Amazon Threat Intelligence reported Monday that the group has simplified its operations in the current year by moving away from complex vulnerability exploitation. Instead, they are now prioritizing misconfigured network edge devices hosted on Amazon Web Services (AWS) as their primary entry point, according to CJ Moses, chief information security officer of Amazon Integrated Security.
GRU’s Evolving Tactics Target Critical Infrastructure
Researchers at Amazon have identified overlaps between the malicious infrastructure used by this threat group and operations attributed to Sandworm, a known Russian GRU-tied entity also referred to as APT44 and Seashell Blizzard. This correlation provides a high degree of confidence in attributing the activity to Russia’s GRU.
Amazon has notified customers impacted by these intrusions and has taken steps to remediate compromised EC2 instances. The company has also shared intelligence with partners and affected vendors to support ongoing investigations. Specific details on the number of attacks attributed to this campaign or changes in activity pace since 2021 were not provided.
Focus on the Energy Sector and Beyond
The Russia state-sponsored threat group has consistently targeted various Western organizations within the energy sector. This includes electric utilities, energy providers, and managed security service providers that specialize in supporting the energy industry. The continuous focus highlights the sector’s perceived importance to the attackers’ objectives.
Beyond the energy sector, the threat group has also demonstrated interest in collaboration platforms, source code repositories, organizations utilizing cloud-based network infrastructure, and critical infrastructure providers across North America and Europe. Telecom providers in multiple regions have also been identified as targets.
Shift to Misconfigured Network Edge Devices
The typical attack chain begins with a compromised network edge device hosted on AWS. Attackers then attempt to intercept data traversing the network to steal credentials. These stolen credentials are subsequently used to gain access to other victim services and infrastructure, allowing the attackers to maintain persistence.
CJ Moses emphasized that the compromise of network edge devices on AWS is not an indication of a flaw within Amazon’s infrastructure. Instead, the vulnerabilities arise from improper device configuration by the customers. The GRU-associated attackers have been observed targeting enterprise routers, routing infrastructure, large organization VPNs, remote-access gateways, and network management appliances.
Previous Exploitation Methods
The campaign initially, from 2021 to 2024, relied heavily on exploiting known software vulnerabilities. These included CVE-2022-26318 impacting WatchGuard, CVE-2021-26084 and CVE-2023-22518 affecting Confluence, and CVE-2023-27532 targeting Veeam.
However, the shift to targeting misconfigured network edge devices this year allows the attackers to achieve similar strategic goals with reduced risk and potentially lower operational costs. This change in methodology is intended to decrease the likelihood of their activities being detected through exposure of vulnerability exploitation.
“While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,” Moses stated in the blog post. “The actor accomplishes this while significantly reducing the risk of exposing their operations through more detectable vulnerability exploitation activity.”
Sandworm’s Notoriety and Past Activity
Sandworm is recognized as one of the most prominent state-sponsored threat groups over the past decade. Their primary targets have historically included government, defense, transportation, energy, media, and civil society organizations, particularly in regions bordering Russia. The group has repeatedly targeted Western electoral systems and institutions, including those within NATO member states. Notably, Sandworm has successfully disrupted electricity distribution in Ukraine on three occasions through cyberattacks.
The continued evolution of GRU’s tactics, specifically the pivot towards exploiting common misconfigurations, suggests a sustained and adaptable threat to critical infrastructure. The next steps will involve continued monitoring by cybersecurity firms and government agencies to detect and mitigate these evolving threats. Organizations utilizing cloud infrastructure are encouraged to review their network edge device configurations to prevent potential exploitation.