Amazon Reveals GRU Cyber Campaign On Cloud and Energy Infrastructure

Amazon’s Threat Intelligence division has detailed an extended campaign carried out by Russia’s Main Intelligence Directorate (GRU), targeting cloud-hosted infrastructure and energy sector systems from 2021 through 2025.

The campaign focused on customer misconfigurations, specifically exposed management interfaces on edge network devices, allowing attackers to gain access without deploying noticeable or high-effort exploits.

This prolonged effort, attributed to GRU group APT44 (also known as Sandworm and Seashell Blizzard), involved the use of passive traffic monitoring to collect user credentials, followed by attempts to reuse those credentials against victim organizations’ online platforms.

Amazon linked these operations with data and infrastructure overlaps and took steps to disrupt ongoing malicious activities while warning affected customers.

Why It Matters: The GRU’s campaign shows how persistent threat actors can achieve long-term network access by taking advantage of overlooked device misconfigurations. Even minor security mistakes can be exploited due to the growing cloud integration of critical infrastructure, enabling entry into high-value environments and putting entire sectors at risk.

• APT44 Operations Prioritized Exploiting Exposed Edge Devices Over Vulnerability Chains: Over a five-year period, attackers systematically exploited weaknesses in customer-deployed networking equipment. While zero-day exploits like those targeting WatchGuard (CVE-2022-26318), Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) were used early on, by 2025, Amazon observed that attackers had largely turned their attention to devices with publicly exposed interfaces and weak configurations. These devices were often located on Amazon Web Services (AWS) infrastructure, though the vulnerabilities stemmed from how customers deployed and configured them, not from AWS itself.

• Passive Credential Collection on Compromised Devices: Amazon discovered that compromised devices were being used to monitor network traffic. This allowed the attackers to extract authentication credentials without having to deploy malware or interact directly with internal systems. For example, threat actor-controlled IPs maintained persistent connections to EC2 instances running customer appliance software. Connections revealed signs of interactive sessions and data retrieval efforts, indicating a methodical approach to gathering sensitive data from network perimeters.

• Credential Replay Attempts Targeted Online Services After Initial Compromise: Once credentials were harvested from network traffic, attackers attempted to authenticate to the online services and platforms used by the original victim organizations. These services included cloud-based collaboration tools, source code repositories, and authentication endpoints. Although Amazon did not observe successful breaches using these replayed credentials, activity showed that the attackers were trying to use stolen login data for further access. The timeline between the initial compromise and later login attempts suggested passive data collection before any use, pointing to a methodical exploitation cycle rather than opportunistic attacks.

• Energy, Telecom, and Cloud Providers Were Primary Focus Areas: The majority of observed attacks focused on infrastructure-related sectors, including electricity providers, managed security service providers supporting the energy industry, telecommunications firms, and cloud service platforms. In many cases, third-party vendors with indirect access to infrastructure systems were targeted as a way to reach the actual operators. Amazon emphasized that the compromise of cloud-hosted network devices belonging to these sectors could give attackers a foothold into environments that manage sensitive operations.

• Connections to Other GRU Activity Suggest Coordination: Amazon identified overlaps between the infrastructure used in this campaign and IP addresses previously linked to “Curly COMrades,” a cluster tracked by Bitdefender. That group is known for post-compromise actions like deploying custom malware and manipulating host systems. Amazon observed that while their initial access was via cloud infrastructure and edge devices, the overlapping infrastructure suggested coordination with another group handling post-access operations. This division of labor is consistent with documented patterns in past GRU operations, where different teams specialize in varying phases of an attack.

Go Deeper -> Amazon Exposes Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure – The Hacker News

Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure – AWS