A years-long Russian state-sponsored campaign reveals what the Amazon Threat Intelligence team is calling a “significant evolution” in how the group is targeting critical infrastructure. Rather than exploiting vulnerabilities to gain initial access, they are now targeting misconfigured customer network edge devices.

The campaign, which Amazon has been tracking from 2021 through 2025, is linked to Sandworm (also known as APT44) operations due to infrastructure overlaps. Amazon assessed with high confidence that the operations are associated with Russia’s military intelligence agency (the Main Intelligence Directorate, or the GRU). Targeted organizations include energy sector firms across Western nations, critical infrastructure providers in North America and Europe, and companies with cloud-hosted network infrastructure.

Between 2021 and 2024, Amazon researchers said they saw threat actors primarily use campaigns linked to CVE exploitation to gain initial access into these environments, including flaws in WatchGuard (CVE-2022-26318), Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532). While during this time period, attackers were also targeting misconfigured devices, starting in 2025 researchers said that they saw a sustained targeting of misconfigured customer network edge devices in parallel with a decline in zero-day and N-day exploitation activity. 

“The threat actor’s shift in operational tempo represents a concerning evolution: while customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,” according to CJ Moses, CISO of Amazon Integrated Security, in a Monday post. “The actor accomplishes this while significantly reducing the risk of exposing their operations through more detectable vulnerability exploitation activity.”

Misconfigured customer devices with exposed management interfaces give threat actors persistent access to critical infrastructure networks and enable many of the same operational outcomes that flaw exploitation would. However this attack vector requires less resources and reduces threat actor exposure. Researchers observed threat actors attempting to launch credential replay attacks against victim organization online services; going into 2026, organizations should subsequently prioritize network edge device security and monitor for credential replay attacks. 

“In observed instances, the actor compromised customer network edge devices hosted on AWS, then subsequently attempted authentication using credentials associated with the victim organization’s domain against their online services,” according to Moses. “While these specific attempts were unsuccessful, the pattern of device compromise followed by authentication attempts using victim credentials supports our assessment that the actor harvests credentials from compromised customer network infrastructure for replay against target organizations’ online services.”

Many operations were against customer network edge devices that were hosted on AWS, according to Amazon. Amazon said it notified customers of compromised network appliance resources and worked to pave the way for remediation of compromised Elastic Compute Cloud (EC2) instances. 

“This was not due to a weakness in AWS; these appear to be customer misconfigured devices. Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software,” said Moses. “Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.”

  • Recent Posts

  • Recent Comments

    No comments to show.