A Russian state-sponsored hacking group has been targeting network edge devices in Western critical infrastructure since 2021, with operations intensifying throughout 2025.
The campaign, linked to Russia’s Main Intelligence Directorate (GRU) and the notorious Sandworm group, represents a major shift in tactics.
Instead of focusing on exploiting zero-day vulnerabilities, the hackers now target misconfigured customer network devices with exposed management interfaces.
This approach yields the same outcomes—persistent access and credential theft—while making detection much more difficult.
The attackers specifically focus on energy sector organizations across North America and Europe, along with critical infrastructure providers.
They compromise enterprise routers, VPN gateways, and network management devices hosted on cloud platforms.
By targeting these devices, hackers position themselves to intercept user credentials transmitted over network traffic, which they subsequently use to access victim organizations’ online services and internal systems.
AWS analysts identified this campaign through their threat intelligence telemetry, observing coordinated attacks against customer network edge devices hosted on Amazon Web Services.
The compromises occurred not because of AWS security flaws, but due to customer misconfigurations that left management interfaces exposed to the internet.
Network analysis revealed persistent connections from attacker-controlled IP addresses to compromised EC2 instances running network appliance software, indicating interactive access and ongoing data collection.
The campaign timeline shows a clear evolution. Between 2021 and 2022, attackers exploited WatchGuard devices using CVE-2022-26318. In 2022-2023, they targeted Confluence platforms through CVE-2021-26084 and CVE-2023-22518.
By 2024, Veeam exploitation via CVE-2023-27532 had become prevalent. Throughout 2025, the hackers maintained sustained focus on misconfigured devices while reducing their investment in vulnerability exploitation, demonstrating a strategic shift toward easier targets.
Credential Harvesting and Replay Operations
The attackers use packet capture capabilities to harvest credentials from compromised network devices.
Once they gain access to a network edge device, they intercept authentication traffic passing through it.
The time gap between device compromise and credential replay attempts suggests passive collection rather than active theft.
The hackers capture victim organization credentials—not just device passwords—as users authenticate to various services through the compromised infrastructure.
After collecting credentials, the attackers systematically replay them against victim organizations’ online services, including collaboration platforms, source code repositories, and cloud management consoles.
AWS researchers repeatedly observed this pattern: device compromise, followed by authentication attempts using stolen credentials against the victim’s cloud services and enterprise applications.
The attackers established connections to authentication endpoints across multiple sectors, including electric utilities, energy providers, managed security providers, and telecommunications companies spanning North America, Europe, and the Middle East.
The WatchGuard exploitation demonstrated the attackers’ technical approach. The captured exploit payload shows how they encrypted stolen configuration files using the Fernet encryption library, exfiltrated them via TFTP to compromised staging servers, and removed evidence by deleting temporary files.
This methodology reveals careful attention to operational security and anti-forensics.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
