A Russia-linked hacker group has been targeting critical infrastructure organizations using vulnerabilities in their edge devices since at least 2021, highlighting an alarming shift toward exploiting well-known flaws in common networking equipment, Amazon’s threat intelligence team said Monday.
“The threat actor’s shift [toward edge devices] represents a concerning evolution,” Amazon researchers wrote in a blog post. “While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation.”
After compromising these devices, the attackers intercepted network traffic containing login credentials and used those credentials to access cloud platforms and further entrench themselves in victim environments, according to the report.
Edge devices, including firewalls and network management interfaces, represent a growing and underappreciated source of risk for organizations. Cisco, Palo Alto Networks, Ivanti and Fortinet have repeatedly disclosed serious vulnerabilities in their edge devices over the past year. Monday’s report from Amazon supplements previous research showing that China and other nation-state hackers favor edge devices as initial access vectors.
By targeting edge devices with known but unpatched flaws instead of trying to find and exploit new vulnerabilities, Amazon said, the Russia-linked hackers significantly reduced their workload and their chances of being discovered while maintaining “the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure.”
Amazon researchers linked the hackers to Russia’s military intelligence agency, the GRU, based on infrastructure and targeting that overlapped with Russia’s notorious Sandworm campaign against critical infrastructure in Ukraine and elsewhere. The hackers primarily targeted electric utilities, managed service providers specializing in the energy sector, telecommunications companies, cloud collaboration platforms and source-code databases. Most of the victims were in North America, Europe and the Middle East.
“The targeting demonstrates sustained focus on the energy sector supply chain,” Amazon said, “including both direct operators and third-party service providers with access to critical infrastructure networks.”
Preventive cyber defense measures
To avoid becoming the next victim of this strategy, Amazon said, organizations should immediately inspect all of their edge devices for signs that attackers have compromised them and are using them to intercept network traffic. Businesses should also enforce strong authentication, segment their networks, review suspicious login attempts and reduce devices’ unnecessary internet exposure.
Amazon encouraged organizations in the energy sector to check for login attempts from a provided list of indicators of compromise.
Users of Amazon’s cloud platform can enable certain features to restrict user access, scan for vulnerabilities and log suspicious activity, the company said.