A sophisticated Russian state-sponsored hacking group has been actively targeting network edge devices within Western critical infrastructure since at least 2021, with operations intensifying significantly throughout 2025. This campaign, linked to Russia’s Main Intelligence Directorate (GRU) and the well-known Sandworm cyber-espionage group, signifies a notable evolution in their modus operandi. Instead of relying heavily on exploiting previously unknown software vulnerabilities (zero-days), the attackers are now predominantly focusing on exploiting misconfigured customer network devices that have inadvertently exposed management interfaces to the internet.
This strategic shift allows the threat actors to achieve the same critical objectives—establishing persistent access and stealing sensitive credentials—while simultaneously making their activities considerably more challenging for security teams to detect. The primary targets of this persistent campaign appear to be organizations within the energy sector, spanning across North America and Europe, alongside other providers of critical infrastructure. The compromised devices include enterprise routers, VPN gateways, and network management tools, many of which are hosted on cloud platforms like Amazon Web Services (AWS).
Credential Harvesting and Replay Operations in Critical Infrastructure Attacks
By infiltrating these crucial network edge devices, the Russian hackers position themselves to intercept valuable authentication traffic. This allows them to harvest user credentials that are transmitted across the network. Subsequently, these stolen credentials are systematically used to gain unauthorized access to victim organizations’ online services, sensitive cloud environments, and internal corporate systems. AWS analysts, through their extensive threat intelligence telemetry, identified this campaign by observing coordinated attacks targeting customer network edge devices hosted on AWS. Importantly, these compromises were not attributed to any security flaws inherent in AWS itself, but rather to customer-side misconfigurations that left essential management interfaces accessible from the public internet.
Network traffic analysis has revealed consistent and sustained connections originating from IP addresses controlled by the attackers to compromised EC2 instances running network appliance software. This observation strongly indicates a pattern of interactive access and ongoing data exfiltration activities. The campaign’s timeline displays a clear tactical progression. During the 2021-2022 period, the attackers were observed exploiting a specific vulnerability in WatchGuard devices, identified as CVE-2022-26318. The subsequent year, 2022-2023, saw a shift towards targeting Confluence platforms, leveraging vulnerabilities such as CVE-2021-26084 and CVE-2023-22518. By 2024, the exploitation of Veeam software via CVE-2023-27532 had become a prominent tactic. Throughout 2025, a sustained focus on misconfigured devices has been evident, coinciding with a discernible reduction in their investment in vulnerability exploitation, underscoring their strategic pivot towards more easily accessible targets.
The attackers employ advanced packet capture capabilities to discreetly harvest credentials from compromised network devices. Once initial access is secured, they meticulously intercept authentication traffic flowing through the affected infrastructure. The observed time lag between initial device compromise and the subsequent attempts to replay stolen credentials suggests a strategy of passive data collection rather than immediate, active theft. This methodology allows for the systematic capture of not only device passwords but also the credentials of users authenticating to various services through the compromised infrastructure. After accumulating a trove of harvested credentials, the threat actors systematically attempt to replay these credentials against the victim organizations’ online services. These targets include critical platforms such as collaboration tools, source code repositories, and cloud management consoles.
AWS researchers have repeatedly documented this recurring pattern: initial compromise of a network edge device, followed by a concerted effort to authenticate to the victim’s cloud services and enterprise applications using the pilfered credentials. The attackers have been observed establishing connections to authentication endpoints across a diverse range of vital sectors. This includes electric utilities, energy providers, managed security service providers, and telecommunications companies, with a geographical spread covering North America, Europe, and the Middle East. The detailed examination of the WatchGuard exploitation further elucidates the attackers’ technical sophistication. The captured exploit payload provided insight into their methods, including the encryption of stolen configuration files using the Fernet encryption library. These exfiltrated files were then transferred via TFTP to compromised staging servers, and evidence was systematically erased by deleting temporary files, demonstrating a high level of operational security and anti-forensic measures.
The continued targeting of critical infrastructure by advanced persistent threat groups like Sandworm highlights the evolving landscape of cyber warfare. As organizations increasingly rely on interconnected digital systems, the security of network edge devices becomes paramount. The shift towards exploiting misconfigurations rather than complex vulnerabilities underscores a pragmatic approach by attackers, emphasizing ease of access and stealth. Security leaders will need to prioritize robust network segmentation, diligent configuration management, and continuous monitoring to counter these evolving threats. The ongoing nature of this campaign suggests that organizations within the energy and critical infrastructure sectors must remain vigilant, implementing comprehensive security protocols to safeguard against credential harvesting and unauthorized access. Future efforts are expected to focus on hardening publicly exposed management interfaces and enhancing detection mechanisms for anomalous authentication patterns.