Amazon Threat Intelligence has reported on a prolonged campaign sponsored by the Russian state that marks a significant change in tactics aimed at critical infrastructure, specifically focusing on the energy sector. This campaign has revealed that misconfigured customer network edge devices have become the primary entry point for attackers, while the exploitation of system vulnerabilities has seen a decline. This alteration in strategy allows attackers to effectively achieve their goals, such as credential harvesting and lateral movement within victim organizations, while minimizing their exposure and resource usage.
The primary targets of this campaign include energy sector organizations located in Western nations, critical infrastructure providers in North America and Europe, as well as those using cloud-hosted network infrastructure. The campaign frequently targets enterprise routers and routing infrastructure alongside VPN concentrators, remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.
C.J. Moses, Amazon’s Chief Information Security Officer (CISO), emphasized the importance of securing network edge devices and monitoring for credential replay attacks as organizations prepare for 2026. In a blog post, he aligned the observed activity with Russian intelligence operations known as Sandworm, which includes APT44 and Seashell Blizzard. Moses conveyed confidence that this campaign is linked to Russia’s Main Intelligence Directorate (GRU), stressing a sustained focus on Western critical infrastructure since 2021.
The campaign has shown extensive targeting of the energy sector’s supply chain, affecting both direct operators and third-party service providers. Initially, the attack flow involves the compromise of a customer’s network edge device hosted on AWS, where attackers utilize the device’s packet capture capabilities to harvest credentials from intercepted traffic. These harvested credentials are then replayed against the online services and infrastructure of the affected organizations, allowing the attackers to maintain persistent access and navigate laterally within the compromised networks.
From 2021 onward, Amazon’s telemetry has indicated an ongoing campaign primarily aimed at the energy sector. The tactics evolved significantly during this time. For example, exploitation of vulnerabilities in WatchGuard devices was noted between 2021 and 2022, alongside early targeting of misconfigured systems. The activities expanded through 2022 and 2023 with incidents involving Confluence vulnerabilities, including CVE-2021-26084 and CVE-2023-22518, while maintaining the focus on misconfigured devices.
By 2024, the campaign exploited vulnerabilities in Veeam, again emphasizing misconfigured infrastructure, while the approach shifted by 2025 to a focus on these devices, with a notable decline in reliance on vulnerabilities for exploitation.
Amazon’s analysis revealed that this was attributed to customer misconfigurations rather than weaknesses in AWS itself. Persistent connections utilizing compromised EC2 instances were noted. Additionally, systematic credential replay attacks were observed against victim organizations’ online services. Although specific attempts at authentication using these credentials were unsuccessful, the pattern suggested systematic harvesting of credentials for future exploitation.
The analysis uncovered that infrastructures associated with the attackers allowed access to authentication endpoints across various critical sectors, especially within the energy industry, targeting electric utility organizations and managed service providers. The technology sector also faced threats, particularly towards collaboration platforms and source code repositories.
Moreover, Amazon Threat Intelligence identified overlaps with operations monitored by Bitdefender’s ‘Curly COMrades’ group, indicating a division of labor in a broader GRU campaign where some clusters focus on initial access while others concentrate on host-based persistence and evasion.
Proceeding into 2026, urgent actions need to be taken by organizations, starting with comprehensive audits of all network edge devices to identify inappropriate configurations and unexpected packet capture files. Strong authentication measures, including multi-factor authentication and elimination of default credentials, should be implemented. Establishing anomaly detection systems and monitoring authentication logs will enhance the detection of credential reuse. Organizations must also ensure their network device management interfaces are secured from public exposure and reduce the risk posed by insecure protocols.
Amazon remains committed to safeguarding its customers and the wider internet environment by continuously investigating and disrupting sophisticated threat actors. They have responded by identifying affected customers and facilitating rapid remediation of compromised EC2 instances while sharing valuable intelligence with industry partners and relevant vendors to bolster overall security measures. Through these collective efforts, Amazon aims to diminish the attack surface and enhance the resilience of critical infrastructure against sustained state-sponsored threats.