Russian state-sponsored threat actors appear to be favoring misconfigurations over the exploitation of vulnerabilities for gaining access to the systems of targeted critical infrastructure organizations, according to Amazon’s threat intelligence team.
The malicious activity has been linked to the widely known Russian threat actor named Sandworm, which has led Amazon’s experts to conclude that the attacks are likely conducted by hackers associated with Russia’s GRU military intelligence agency.
Amazon has also seen some infrastructure overlaps with hackers tracked by Bitdefender as Curly COMrades, who may have been responsible for post-exploitation activities.
Over the past five years, Amazon has seen attacks aimed at energy organizations in Western nations, critical infrastructure in North America and Europe, and various types of organizations with cloud-hosted network infrastructure.
The tech giant has monitored the threat actors’ attacks between 2021 and 2025, and up until this year they often achieved initial access through the exploitation of zero-day and n-day vulnerabilities.
Examples of vulnerabilities exploited between 2021 and 2024 include the WatchGuard flaw CVE-2022-26318, Confluence flaws CVE-2021-26084 and CVE-2023-22518, and the Veeam product flaw CVE-2023-27532.
The attackers were previously observed targeting misconfigured devices for initial access. However, starting in 2025, Amazon’s threat intelligence team has seen a decline in the exploitation of vulnerabilities and an increased focus on the targeting of misconfigured network edge devices.
“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” Amazon said.
The Russian hackers have been observed targeting enterprise routers, VPN concentrators and remote access gateways, collaboration platforms, network management appliances, and project management systems.
Amazon was able to monitor attacks because the targeted network edge devices were hosted on AWS — customers’ failure to securely configure the devices made them low-hanging fruit that could be easily hacked and abused for initial access.
The attackers were also seen leveraging native packet-capture capabilities to intercept traffic from which they could collect credentials. The credentials then allowed the threat actors to conduct replay attacks against the victim’s online services and infrastructure, enabling lateral movement.
Amazon has taken steps to disrupt the campaign and notified victims.
The company has been increasingly active in the threat intelligence space in recent months. It has detailed attacks involving zero-days, malicious NPM packages, and Iranian cyber-enabled kinetic attacks.
Related: Amazon Disrupts Russian Hacking Campaign Targeting Microsoft Users
Related: US Indicts Extradited Ukrainian on Charges of Aiding Russian Hacking Groups
Related: Reporters Without Borders Targeted by Russian Hackers
