Amazon Reveals GRU Campaign Hitting Energy and Cloud

Amazon Reveals GRU Campaign Hitting Energy and Cloud
December 16, 2025 at 12:00 AM

Amazon’s threat intelligence unit has uncovered a years-long Russian GRU (APT44) campaign targeting Western critical infrastructure, with a sustained focus on energy providers and cloud-hosted network infrastructure from 2021 to 2025. The activity, linked to APT44 (also tracked as Sandworm, FROZENBARENTS, Seashell Blizzard, and Voodoo Bear), increasingly favored misconfigured network edge devices over zero-day exploitation to harvest credentials and move laterally with less risk and cost.

Who and what was targeted: energy sector operators, critical infrastructure providers across North America and Europe, and organizations running cloud-hosted network appliances. Systems in scope included enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management tools.

How the campaign evolved:

  • 2021–2022: WatchGuard Firebox/XTM exploitation (CVE-2022-26318) and widespread abuse of misconfigured edge devices
  • 2022–2023: Atlassian Confluence exploitation (CVE-2021-26084, CVE-2023-22518) and continued edge device abuse
  • 2024: Veeam exploitation (CVE-2023-27532) with ongoing focus on misconfigured edge devices
  • 2025: Persistent targeting of misconfigured network edge infrastructure

Observed tradecraft and objectives:

  • Shift from zero-days/N-days to exploiting exposed management interfaces and weakly configured appliances
  • Strategic placement at the network edge to intercept traffic and harvest credentials at scale
  • Credential replay attempts against victim organizations’ online services to deepen access

Typical attack chain:

  • Compromise the customer’s edge device hosted on AWS
  • Use native packet capture to intercept traffic
  • Extract credentials from captured data
  • Replay credentials against online services and internal infrastructure
  • Establish persistence for lateral movement

Amazon telemetry showed actor-controlled IPs maintaining persistent, interactive connections to compromised EC2 instances running customer network appliance software, consistent with data retrieval. While credential replay attempts were largely assessed as unsuccessful, they reinforce the conclusion that the adversary is harvesting credentials from compromised edge environments.

Attribution notes and related activity: Infrastructure overlaps were observed with Bitdefender’s Curly COMrades cluster (including 91.99.25[.]54), suggesting complementary roles within a broader GRU operation—one cluster prioritizing network access and initial compromise, the other focused on host persistence and evasion.

Amazon notified affected customers and disrupted active operations against its cloud services but did not disclose attack volumes or changes in tempo since 2021.

Recommended defenses:

  • Audit all edge devices for unexpected packet capture utilities and disable unnecessary capture features
  • Lock down management interfaces (no internet exposure, IP allowlisting or VPN-only access)
  • Patch and harden network appliances and collaboration platforms (WatchGuard, Confluence, Veeam)
  • Enforce strong authentication (MFA, conditional access) and rotate credentials regularly
  • Monitor for logins from unusual geographies and signs of credential replay
  • Segment networks and increase logging/alerting around edge traffic and appliance behavior

Sectors and regions most impacted include energy, technology/cloud services, and telecom providers across North America, Western/Eastern Europe, and the Middle East.

Source: The Hacker News

Back…