Russian state-sponsored hackers are intensifying attacks on misconfigured network edge devices across Western critical infrastructure, marking a significant tactical shift as 2025 comes to a close.
According to new insights from Amazon Threat Intelligence, this campaign linked with high confidence to Russia’s Main Intelligence Directorate (GRU) and the Sandworm/APT44/Seashell Blizzard cluster has deprioritized overt vulnerability exploitation in favor of quietly abusing exposed, misconfigured customer devices to gain persistent access, harvest credentials, and move laterally into critical systems.
Instead of relying primarily on high‑profile zero-days or N-day exploits, threat actors have focused on the “low-hanging fruit” of misconfigured routers, VPN concentrators, remote access gateways, and network management appliances with exposed management interfaces.
This approach delivers the same strategic benefits persistent access to critical networks and high-value credentials while reducing operational risk and detection exposure.
Attack Methods and Techniques
Amazon’s telemetry shows that between 2021 and 2025, the campaign steadily evolved. Early phases involved exploiting known vulnerabilities such as WatchGuard devices (CVE-2022-26318) and Atlassian Confluence flaws (CVE-2021-26084, CVE-2023-22518), followed later by Veeam exploitation (CVE-2023-27532).
By 2025, however, the emphasis shifted decisively toward sustained targeting of misconfigured customer network edge devices, with a corresponding decline in observable zero‑day and N‑day exploitation activity.
The primary targets are energy sector organizations and critical infrastructure providers across North America and Europe, alongside organizations with cloud-hosted network infrastructure.
Commonly targeted resources include enterprise routing infrastructure, VPN gateways, network appliances, collaboration and wiki platforms, and cloud-based project management systems.
The campaign also extends to telecommunications operators and technology/cloud service providers, with a geographic footprint spanning North America, Western and Eastern Europe, and the Middle East reflecting a broad focus on the energy supply chain and its key service providers.
While the precise credential extraction mechanism has not been directly observed, multiple indicators suggest packet capture and traffic analysis as the dominant technique.
Time gaps between device compromise and later authentication attempts, the use of victim organization (rather than device) credentials, and Sandworm’s known history of network traffic interception all point to passive harvesting of authentication data from compromised network edge devices.
Amazon reports coordinated operations against customer network edge devices hosted on AWS, stressing that the root cause was misconfiguration rather than any flaw in AWS itself.
Mitigations
Actor-controlled IPs maintained persistent, interactive connections to compromised EC2 instances running customers’ network appliance software, likely facilitating packet capture and data retrieval.
Stolen credentials were then replayed against victim organizations’ online services and infrastructure, including authentication endpoints for energy utilities, managed security providers, collaboration platforms, source code repositories, and telecom operators.
Some observed attempts were unsuccessful, but the pattern clearly illustrates a credential replay model for follow‑on access.
Infrastructure overlaps with the “Curly COMrades” activity reported by Bitdefender suggest a broader, modular GRU campaign.
While Bitdefender highlights post-compromise host-based tradecraft such as Hyper‑V abuse and custom implants (CurlyShell/CurlCat), Amazon’s visibility centers on initial access and cloud pivots.
This division of labor one cluster focusing on network entry and another on persistence and evasion aligns with established GRU operational patterns.
In response, Amazon has notified affected customers, enabled remediation of compromised EC2 resources, and shared intelligence with vendors and partners to support broader disruption of this activity.
Going into 2026, organizations are urged to aggressively lock down network edge devices, eliminate exposed management interfaces, enforce strong authentication and segmentation, and monitor closely for credential replay, anomalous access to device administration portals, and suspicious authentication patterns across cloud and on‑premises services.
For AWS customers, Amazon recommends hardening IAM, tightening security groups, isolating management planes, enabling VPC Flow Logs, CloudTrail, and GuardDuty, and leveraging Amazon Inspector for continuous vulnerability and exposure assessment to counter this persistent GRU‑linked threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.