Cloud Security / Vulnerability

Amazon’s threat intelligence team has disclosed details of a multi‑year Russian state-aligned operation that went after Western critical infrastructure from 2021 through 2025.

Observed targets included energy companies across Western countries, critical infrastructure operators in North America and Europe, and organizations running network infrastructure in cloud environments. The activity is assessed with high confidence as originating from Russia’s Main Intelligence Directorate (GRU), based on infrastructure overlaps with APT44, also tracked as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear.

From a SOC perspective, the campaign stands out for relying on misconfigured customer network edge devices with exposed management interfaces as primary initial access, while the use of N-day and zero-day exploits decreased over the same period – signaling an evolution in tradecraft against critical infrastructure, according to the provider.

“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, said.

The operation has been observed using the following vulnerabilities and techniques over a five‑year period –

• 2021-2022 – Exploitation of WatchGuard Firebox and XTM vulnerability (CVE-2022-26318) combined with abuse of misconfigured edge network devices
• 2022-2023 – Exploitation of Atlassian Confluence vulnerabilities (CVE-2021-26084 and CVE-2023-22518) plus continued focus on misconfigured edge network devices
• 2024 – Exploitation of Veeam vulnerability (CVE-2023-27532) together with ongoing targeting of misconfigured edge network devices
• 2025 – Continued emphasis on misconfigured edge network devices as primary access

According to Amazon, the intrusion activity systematically targeted enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-hosted project management systems.

From a defensive lens, these behaviors are consistent with large-scale credential harvesting, enabled by positioning on the network perimeter where the actor can inspect traffic and extract secrets in transit. Telemetry also surfaced coordinated attempts against misconfigured customer network edge devices running on Amazon Web Services (AWS) infrastructure.

“Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software,” Moses said. “Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.”

Amazon further reports observing credential replay activity against victim organizations’ online services, used to try to deepen access into internal environments. While these replay attempts are assessed as unsuccessful in the documented cases, they reinforce the assessment that the actor is systematically harvesting credentials from compromised customer network infrastructure for follow-on operations.

The end-to-end attack sequence can be summarized as follows –

• Compromise the customer network edge device hosted on AWS
• Use native packet capture capabilities on the device
• Extract credentials from captured network traffic
• Replay harvested credentials against victim organizations’ online services and infrastructure
• Establish durable access and pivot for lateral movement

The credential replay phase has been directed at energy providers, technology and cloud platforms, and telecommunications operators across North America, Western and Eastern Europe, and the Middle East.

“The targeting demonstrates sustained focus on the energy sector supply chain, including both direct operators and third-party service providers with access to critical infrastructure networks,” Moses noted.

Notably, the intrusion cluster also shares infrastructure overlaps (91.99.25[.]54) with another activity set tracked by Bitdefender as Curly COMrades, which is assessed to have Russia-aligned objectives since late 2023. This overlap suggests the two clusters may represent coordinated roles within a broader GRU-linked campaign.

“This potential operational division, where one cluster focuses on network access and initial compromise while another handles host-based persistence and evasion, aligns with GRU operational patterns of specialized subclusters supporting broader campaign objectives,” Moses said.

Amazon states it has identified and notified impacted customers and taken action to disrupt active operations against its cloud services. For SOC and infrastructure teams, recommended actions include auditing all network edge devices for unauthorized or unexpected packet capture tooling, enforcing strong authentication, monitoring for login attempts from anomalous geographies, and maintaining visibility into possible credential replay activity.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.