Amazon's threat intelligence team has revealed a sophisticated, multi-year cyber campaign orchestrated by Russia's GRU, targeting critical infrastructure in Western nations. The operation, spanning from 2021 to 2025, primarily focused on the energy sector, exploiting misconfigured network edge devices as a primary entry point rather than relying heavily on vulnerability exploitation.

Key Takeaways

• GRU-Linked Campaign: High confidence attribution to Russia's Main Intelligence Directorate (GRU), also known as APT44 or Sandworm.

• Tactical Shift: A move from vulnerability exploitation to targeting misconfigured customer network edge devices for initial access.

• Primary Targets: Western energy sector organizations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted infrastructure.

• Objective: Credential harvesting and establishing persistent access for espionage.

• Duration: Operations observed from 2021 through 2025, with continued focus into 2026.

Evolving Tactics of APT44

The GRU-affiliated group, identified as APT44 (also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear), has demonstrated a significant tactical adaptation. Instead of relying on N-day and zero-day vulnerabilities, the threat actor has increasingly targeted misconfigured customer network edge devices with exposed management interfaces. This approach allows for the same outcomes—credential harvesting and lateral movement—while reducing the actor's exposure and resource expenditure.

Campaign Timeline and Exploited Vulnerabilities

The campaign's evolution over five years includes:

• 2021-2022: Exploitation of WatchGuard Firebox and XTM flaw (CVE-2022-26318) and targeting of misconfigured edge network devices.

• 2022-2023: Exploitation of Atlassian Confluence flaws (CVE-2021-26084 and CVE-2023-22518) and continued targeting of misconfigured edge network devices.

• 2024: Exploitation of Veeam flaw (CVE-2023-27532) and continued targeting of misconfigured edge network devices.

• 2025: Sustained targeting of misconfigured customer network edge devices, with a decline in vulnerability exploitation.

Methods of Operation

The intrusion activity has targeted enterprise routers, VPN concentrators, remote access gateways, network management appliances, collaboration platforms, and cloud-based project management systems. The attackers leverage native packet capture capabilities on compromised devices to intercept traffic, harvest credentials, and then replay these credentials against victim organizations' online services and infrastructure to establish persistent access for lateral movement.

Amazon observed coordinated attempts against misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure. Actor-controlled IP addresses established persistent connections to compromised EC2 instances running customers' network appliance software, indicating interactive access and data retrieval.

Overlap with Other Threat Clusters

Interestingly, the intrusion set shares infrastructure overlaps with another cluster tracked by Bitdefender as "Curly COMrades." This suggests potential complementary operations within a broader GRU campaign, where one cluster focuses on initial access and compromise, while another handles host-based persistence and evasion.

Amazon's Response and Recommendations

Amazon has identified and notified affected customers, and disrupted active threat actor operations targeting its cloud services. Organizations are strongly advised to:

• Audit all network edge devices for unexpected packet capture utilities and exposed management interfaces.

• Implement strong authentication, including multi-factor authentication (MFA).

• Monitor for authentication attempts from unexpected geographic locations and credential replay attacks.

• Regularly patch and update network devices and software.

Geographic Scope and Sector Focus

The credential replay operations have targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. The targeting demonstrates a sustained focus on the energy sector supply chain, including both direct operators and third-party service providers with access to critical infrastructure networks.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Amazon Exposes Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure, The Hacker News.

• Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure |AWS Security Blog, Amazon Web Services (AWS).

• Russia’s GRU Behind Years-Long Espionage Campaign Targeting Western Critical Infrastructure, The Cyber Express.

• Amazon flags Russian cyber campaign hitting Western energy networks, Beinsure.

• Amazon security boss blames Russia's GRU for energy hacks • The Register, The Register.