As 2025 wraps up, Amazon Threat Intelligence outlines a multi-year Russian state-backed cyber campaign that marks a tactical shift in how critical infrastructure gets breached.
According to Amazon’s assessment, the actors moved away from heavy reliance on vulnerability exploitation and leaned into a quieter path – misconfigured customer network edge devices.
By abusing exposed management interfaces on routers, VPN gateways, and similar edge gear, the group still achieves credential harvesting and lateral movement into cloud services and internal systems.
At the same time, the operators cut their operational costs and reduce the risk of detection. It’s efficient, maybe too efficient.
Amazon says it has high confidence this activity links to Russia’s Main Intelligence Directorate, the GRU. The assessment draws on infrastructure overlaps with Sandworm, also tracked as APT44 or Seashell Blizzard, alongside long-running targeting patterns visible in Amazon’s telemetry.
The focus stays narrow and consistent – Western critical infrastructure, with energy operators front and centre – and the activity runs from 2021 straight through today.
Looking into 2026, Amazon urges organisations to lock down network edge devices and watch closely for credential replay attempts. That’s where the fight shifts next.
Based on what Amazon sees, attackers aren’t abandoning sophistication. They’re just choosing paths that attract less attention (see Ransomware, Cloud and AI Risks Reshape the Global Cyber Threat).
The campaign’s technical arc shows how tactics drifted over time. In 2021 and 2022, Amazon MadPot sensors caught exploitation of WatchGuard devices tied to CVE-2022-26318, alongside early signs of misconfiguration abuse.
The following year brought Confluence exploits, including CVE-2021-26084 and CVE-2023-22518, while misconfigured device targeting continued in parallel.
In 2024, the group exploited Veeam software through CVE-2023-27532. By 2025, exploitation activity faded, replaced by sustained targeting of poorly secured customer edge devices.
Primary victims cluster around the energy sector across Western countries. Amazon also tracked activity against other critical infrastructure providers in North America and Europe, especially organisations running cloud-hosted network infrastructure.
The actors focused on familiar surfaces. Enterprise routers. VPN concentrators. Remote access gateways. Network management appliances. Collaboration and wiki tools.
Cloud-based project management systems. According to Beinsure analysts, these environments often sit at the crossroads of IT and OT, which makes them tempting and risky at the same time.
Amazon describes the approach as going after low-hanging fruit. Misconfigured devices offer persistent access to networks and a prime vantage point for intercepting credentials moving across the wire.
The shift accelerated in 2025, according to Evolution of Ransomware. Zero-day and N-day exploits didn’t vanish, but investment dropped sharply. The payoff stayed the same.
Credential harvesting sits at the centre of the operation. Amazon didn’t directly observe the extraction mechanism, yet multiple signals point to passive packet capture and traffic inspection.
There’s a lag between device compromise and login attempts against victim services, which suggests interception rather than brute theft.
The credentials used belong to victim organisations, not the devices themselves. Sandworm’s past operations rely heavily on traffic interception. And edge devices sit exactly where you’d want them if you planned to watch authentication data flow past.
Amazon’s telemetry also shows how cloud infrastructure fits into the picture. The compromised devices often ran on AWS-hosted EC2 instances, configured by customers, not exposed by AWS flaws.
Actor-controlled IP addresses maintained persistent connections to these instances, consistent with interactive access and ongoing data retrieval.
Beyond that, Amazon observed systematic credential replay attempts. After compromising edge devices hosted on AWS, the actors tried logging into victim organisations’ online services using harvested credentials tied to those organisations’ domains.
Targets for replay activity spanned multiple sectors through 2025. Energy organisations included electric utilities, energy providers, and managed security service firms serving that space.
Technology targets covered collaboration platforms and source code repositories. Telecommunications providers across several regions also appeared in the data.
Geographically, the campaign stretches wide. North America. Western and Eastern Europe. The Middle East.
Amazon notes sustained attention on the energy supply chain itself, hitting not just operators but also third-party service providers with access into sensitive networks.
The operational flow stays consistent. Compromise a customer edge device hosted on AWS. Use native packet capture features. Harvest credentials from intercepted traffic.
Replay those credentials against online services and infrastructure. Establish persistence, then move laterally. Repeat.
Amazon also identified infrastructure overlap with a threat cluster Bitdefender tracks as Curly COMrades. According to Amazon, this may signal complementary activity inside a broader GRU operation.
Bitdefender’s reporting points to post-compromise tradecraft such as Hyper-V abuse to evade EDR tools and custom implants like CurlyShell and CurlCat. Amazon’s data fills in the front end – initial access and cloud pivots.
