Amazon Reveals a Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure
But here’s where it gets controversial: a major player in cloud security has laid bare a prolonged, state-sponsored operation that quietly crept through Western critical infrastructure for years, raising thorny questions about supply chain security and attribution.
Amazon’s threat intelligence team has shared details of a sustained Russian-linked campaign that ran from 2021 through 2025, attacking energy sector organizations across Western countries, critical infrastructure providers in North America and Europe, and entities running cloud-hosted network infrastructure. The operation is attributed with high confidence to the GRU-affiliated APT44, also known by aliases such as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear. This linkage underscores how sophisticated groups can evolve their tactics while pursuing similar objectives.
A notable shift over time is evident in the attackers’ early focus on exploiting misconfigured customer edge devices with exposed management interfaces. As the years progressed, the volume of N-day and zero-day vulnerabilities declined, suggesting a strategic move away from broad exploit activity toward targeting critical infrastructure more directly. According to CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, this adaptation preserves the attacker’s goals—credential harvesting and lateral movement across victim networks—while reducing exposure and resource expenditure for the actors involved.
Over the five-year timeline, the campaign leveraged a range of vulnerabilities and techniques, including:
- 2021–2022: Exploitation of WatchGuard Firebox and XTM flaws (CVE-2022-26318) and continued targeting of misconfigured edge devices.
- 2022–2023: Exploitation of Atlassian Confluence flaws (CVE-2021-26084 and CVE-2023-22518) alongside ongoing edge-device targeting.
- 2024: Exploitation of a Veeam flaw (CVE-2023-27532) with sustained edge-device targeting.
- 2025: Continued emphasis on misconfigured edge networks.
The intrusions specifically targeted enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management tools. The aim appears to be credential harvesting at scale by positioning on the network edge to intercept sensitive information in transit.
Telemetry further revealed coordinated attempts to compromise misconfigured customer edge devices hosted within AWS infrastructure. According to Moses, actor-controlled IPs established persistent connections to compromised EC2 instances running customers’ network appliance software, indicating interactive access and ongoing data retrieval across multiple affected devices.
Credential replay attacks against victim online services were observed as part of efforts to deepen footholds in targeted networks. While these replay attempts did not succeed in every case, they support the view that the adversaries were capturing credentials from compromised customer networks for subsequent use.
The overall intrusion sequence can be summarized as:
- Compromise the customer edge device hosted on AWS
- Activate native packet capture capabilities
- Extract credentials from intercepted traffic
- Replay credentials against the victim’s online services and infrastructure
- Establish persistent access to enable lateral movement
Credential replay activity spanned energy, technology/cloud services, and telecom providers across North America, Western and Eastern Europe, and the Middle East. Moses emphasized the campaign’s sustained focus on the energy sector supply chain, including operators directly and third-party service providers with access to critical infrastructure networks.
Interestingly, the intrusion cluster shares infrastructure overlaps with another group Bitdefender tracks as Curly COMrades, a cluster believed to be aligned with Russian interests since late 2023. This overlap raises the possibility that the two clusters are complementary components of a broader GRU operation, with one cluster handling initial network access and compromise, and the other focusing on host-based persistence and evasion. Such division mirrors known GRU patterns of deploying specialized subclusters to support larger campaign objectives, as noted by Amazon’s researchers.
Amazon has identified and notified affected customers and disrupted active threat operations targeting its cloud services. The recommended defensive steps include auditing all network edge devices for unexpected packet-capture tools, enforcing strong authentication, monitoring for authentication attempts from unusual geographic locations, and remaining vigilant for credential replay attempts.
If you found this analysis helpful, you can follow The Hacker News on Google News, Twitter, and LinkedIn for more exclusive coverage and updates.
)
