Russian state hackers targeted Western critical infrastructure for years, Amazon says
Pierluigi Paganini
December 17, 2025
Amazon disclosed a years-long Russian state-backed cyber campaign targeting Western critical infrastructure from 2021 to 2025.
Amazon Threat Intelligence reports a long-running Russian state-backed campaign (2021–2025) targeting Western critical infrastructure. Threat actors shifted from exploiting vulnerabilities to abusing misconfigured network edge devices, enabling credential theft and lateral movement with lower risk. The researchers linked the campaign with high confidence to GRU/Sandworm (aka APT44 and Seashell Blizzard) activity, the attacks heavily target the energy sector.
The Russian state-backed campaign targeting global critical infrastructure from 2021 to 2025, especially the energy sector. Tactics evolved from exploiting WatchGuard, Confluence, and Veeam vulnerabilities to primarily abusing misconfigured network edge devices, while zero-day and N-day exploitation declined in 2025.
Over five years, the campaign evolved from exploiting WatchGuard Firebox/XTM (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) flaws to primarily abusing misconfigured edge network devices, with vulnerability exploitation largely declining by 2025.
Targets included Western energy providers, critical infrastructure in North America and Europe, and organizations with cloud-hosted networks. Common targets were routers, VPNs, management appliances, collaboration platforms, and cloud services. The shift to exploiting exposed management interfaces enables persistent access and credential harvesting with lower operational risk. Evidence suggests credentials were collected via passive network traffic interception, consistent with Sandworm tradecraft.
“Amazon’s telemetry reveals coordinated operations against customer network edge devices hosted on AWS. This was not due to a weakness in AWS; these appear to be customer misconfigured devices. Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software.” reads the report published by Amazon. “Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.”
Amazon Threat Intelligence observed coordinated attacks on customer-hosted network edge devices running on AWS, caused by customer misconfigurations rather than AWS flaws. Threat actors maintained persistent access to compromised EC2-hosted appliances, harvesting traffic and replaying stolen credentials against victims’ online services. Targets spanned energy, technology, cloud, and telecom sectors across North America, Europe, and the Middle East, with strong focus on the energy supply chain. The campaign flow involved device compromise, packet capture, credential harvesting, replay attacks, and lateral movement. Infrastructure overlaps suggest coordination with Bitdefender-tracked “Curly COMrades,” indicating complementary GRU subclusters handling network access and host-level persistence.
Amazon is actively investigating and disrupting sophisticated threats by notifying affected customers, remediating compromised EC2 instances, sharing intelligence with partners and vendors, and reducing the attack surface through coordinated response efforts.
“Through coordinated efforts, since our discovery of this activity, we have disrupted active threat actor operations and reduced the attack surface available to this threat activity subcluster.” concludes the report. “We will continue working with the security community to share intelligence and collectively defend against state-sponsored threats targeting critical infrastructure.”
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Western critical infrastructure)