If you think state-sponsored cyberattacks only target governments or energy giants, this story should make you think again. Amazon has just published a report exposing a nearly five-year-long cyber campaign directed by Russia’s GRU, focused on critical infrastructure, energy, and cloud-based services. And while it may sound distant, many of the techniques used are the same ones that currently threaten private companies, tech providers, and any organization relying on the cloud.
The perimeter is no longer your office. It’s your firewalls, VPNs, virtual routers, and exposed cloud services. That’s exactly where this group decided to strike.
A Quiet, Persistent, and Well-Executed Campaign
Amazon’s threat intelligence team confirmed that between 2021 and 2025, a GRU-linked actor—known as APT44, and also identified as Sandworm, FROZENBARENTS, Seashell Blizzard, or Voodoo Bear—conducted a prolonged campaign against Western organizations.
Their targets were anything but random:
- Energy sector companies
- Critical infrastructure providers in North America and Europe
- Organizations hosting network infrastructure in the cloud, especially on AWS
But what’s most concerning isn’t who they attacked—it’s how.
The Key Shift: Fewer Exploits, More Misconfigurations
For years, we’ve been trained to fear zero-days and critical vulnerabilities. But Amazon found something different. Over time, the GRU moved away from complex exploits and focused on something much simpler—and much more common: misconfigured networking equipment.
Routers, VPN gateways, virtual firewalls, and network appliances with exposed admin interfaces became their primary entry point.
Why? Because it’s cheaper, stealthier, and lower-risk for the attacker.
Put simply: if your infrastructure is poorly configured, attackers don’t need to hack you—they just walk right in.
Learn more: New Security Features in the AWS Cloud
A Timeline That Should Worry Everyone
Amazon documented the evolution of the campaign:
- 2021–2022: Exploited vulnerabilities in WatchGuard Firebox/XTM and misconfigured edge devices
- 2022–2023: Combined flaws in Atlassian Confluence with exposed network equipment
- 2024: Targeted Veeam and continued exploiting weak cloud configurations
- 2025: Almost exclusively focused on misconfigured network infrastructure, without relying on new exploits
The conclusion is clear: basic security hygiene failed more than advanced tech.
The Real Objective: Credential Harvesting at Scale
Once inside these edge devices, GRU operatives didn’t destroy anything immediately. Their goal was strategic: to harvest credentials.
According to Amazon, attackers:
- Compromised cloud-hosted network devices
- Activated native traffic-capturing tools
- Intercepted credentials traveling across the network
- Reused those credentials against corporate systems
- Moved laterally and built persistence
This is especially dangerous because it bypasses endpoints entirely. You could have perfect antivirus, EDR, and internal controls—and still lose your credentials if your network layer is compromised.
Why the Cloud Is Central to This Attack
Amazon confirmed that many of the targeted devices were hosted on AWS—used as virtual routers, gateways, or networking appliances by customers.
Attackers established persistent connections with compromised EC2 instances, enabling interactive access and continuous data extraction. This wasn’t a one-off—it was long-term presence.
This shatters a common myth: migrating to the cloud doesn't automatically make you secure. If you replicate your on-prem mistakes in the cloud, you're just relocating the problem.
Energy, Tech, and Telecom: The Common Pattern
Credential reuse operations consistently targeted:
- Energy companies
- Technology and cloud service providers
- Telecommunications operators
Not just final operators—but also third-party vendors with network access. In other words, the digital supply chain.
Here’s the uncomfortable truth: even if your company isn’t “critical infrastructure,” you can still be the entry point.
Similar titles: Amazon Gift Card Mailings Seek to Steal Microsoft Accounts
Possibly Not Just One Group
Another detail worth noting: Amazon found infrastructure overlaps with another group tracked by Bitdefender as Curly COMrades, active since 2023 and aligned with Russian interests.
This suggests something we at TecnetOne say often: state actors don’t work alone. They operate in specialized cells—one group gains access, another maintains it, another exfiltrates data. It’s industrialized, not improvised.
What You Should Do Today (Not Tomorrow)
Amazon has already notified affected customers and blocked active operations. But the real question is: what are you doing with this information?
Here are the minimum actions we recommend at TecnetOne:
- Audit all physical and virtual network devices, especially internet-facing ones
- Ensure no admin interfaces are exposed without strict controls
- Implement strong authentication and disable unnecessary access
- Monitor unusual traffic and persistent connections
- Detect credential reuse attempts from anomalous locations
- Review legacy configurations—many breaches stem from “it’s always been like that” setups
This kind of attack can’t be stopped by a single tool—it requires operational discipline, visibility, and continuous monitoring.
Final Lesson: Configuration Is Security
This case proves something uncomfortable but essential: security doesn’t fail from lack of tech—it fails from neglect.
The GRU didn’t need to break encryption or use super-advanced exploits. They just waited for someone to misconfigure a device.
If you rely on the cloud, you need to treat your network devices for what they are: critical assets.
Because the edge of your network is also the frontline of a silent war. And being unprepared doesn’t make you neutral—it makes you vulnerable.
