Russian state-sponsored threat actors linked to the GRU (Glavnoye Razvedyvatelnoye Upravleniye, or Main Intelligence Directorate) are increasingly breaching into critical infrastructure networks by exploiting basic configuration mistakes rather than software vulnerabilities, according to new research from Amazon Threat Intelligence.
Amazon attributes the activity with high confidence to Sandworm, also tracked as APT44 and Seashell Blizzard. The campaign has targeted energy providers and other critical infrastructure organisations across North America and Europe since at least 2021. Amazon also identified infrastructure overlap with a group Bitdefender tracks as Curly COMrades, which appears to handle post-compromise activity.
Between 2021 and 2024, the attackers frequently relied on exploiting known and zero-day vulnerabilities to gain access. Amazon observed exploitation of flaws in WatchGuard firewalls, Atlassian Confluence, and Veeam backup software. In 2025, that activity declined sharply and was replaced by sustained targeting of misconfigured network edge devices.
The attackers focused on enterprise routers, VPN gateways, and network management appliances with exposed or poorly secured management interfaces. Many of these devices were customer-owned appliances running in cloud environments, including on AWS. Amazon stated the activity was caused by customer misconfiguration rather than weaknesses in AWS infrastructure.
After gaining access, the group harvested user credentials and later attempted to reuse them against victim organisations’ online services. Amazon assessed that credentials were likely collected through passive traffic interception using packet capture features on compromised devices. Subsequent credential replay attempts targeted collaboration platforms, source code repositories, and telecom services.
The campaign maintained a strong focus on the energy sector and its supply chain, including electric utilities, managed service providers, and supporting technology firms. Targeting was observed globally, with activity across North America, Europe, and the Middle East.
According to a blog post by CJ Moses, the CISO of Amazon, the company also documented long-term use of compromised legitimate servers as proxy infrastructure. The company cautioned that listed indicators of compromise should be investigated in context rather than blocked outright, as the systems may still host legitimate services.
Security professionals say the findings highlight a deliberate move toward lower-risk access methods. Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, said misconfigured edge devices and weak identity controls provide reliable access that blends in with normal administrative activity and is harder to detect.
Shane Barney, Chief Information Security Officer at Keeper Security, said the activity reinforces the value of basic security practices. He advised organisations to prioritise routine audits of network edge devices, eliminate exposed management interfaces, and monitor for unusual administrative access. He also warned that credential replay remains a primary risk once edge devices are compromised.
Amazon urged organisations to audit network edge devices, review authentication logs for credential reuse, and monitor administrative access from unexpected locations. For AWS environments, the company recommended restricting security group access, isolating management interfaces, enabling logging and threat detection services, and regularly scanning instances for exposure.