Russia’s GRU hackers targeting misconfigured network edge devices in attacks on energy sector, Amazon says

Steven

Russia’s GRU hackers targeting misconfigured network edge devices in attacks on energy sector, Amazon says

Summary

Amazon Integrated Security researchers have identified a years-long campaign by a Russian state-linked hacking group (APT44, also known as Sandworm/Seashell Blizzard) that has shifted tactics. From 2021 onwards the group exploited a series of software vulnerabilities; by 2025 it increasingly targeted misconfigured network edge devices hosted by customers on AWS as its primary initial access vector. Amazon detected the activity via its MadPot honeypots and reported coordinated operations against customer edge devices, particularly within Western critical infrastructure and the energy sector.

The attackers harvested credentials from intercepted traffic, used those credentials against victim services, and established persistent access for lateral movement. Amazon said the incidents were due to customer misconfiguration rather than an AWS platform weakness, and it notified affected customers and shared findings with partners and vendors.

Key Points

  • Amazon tracked APT44 (Sandworm) activity from 2021 and observed a tactical shift in 2025 to exploiting misconfigured network edge devices hosted on AWS.
  • The campaign targeted Western critical infrastructure with a focus on the energy sector, including electric utilities, energy providers and related managed security providers.
  • Attackers used compromised edge devices to harvest credentials from intercepted traffic, then moved laterally into victim services and infrastructure.
  • Previously exploited CVEs included vulnerabilities affecting WatchGuard firewalls, Atlassian Confluence, and Veeam products; by 2025 the focus moved to exposed management interfaces and misconfigurations.
  • Amazon attributes the success of this pivot to attackers seeking lower-cost, lower-risk access methods as defenders improved vulnerability management and detection.
  • Industry experts warn configuration security has been treated as housekeeping and must be elevated to a core security control to reduce exposure to ‘low-hanging fruit’ attacks.

Context and relevance

This report highlights an important evolution in threat actor behaviour: rather than investing in novel exploits, sophisticated actors are increasingly abusing human and operational errors — misconfigured devices and exposed management interfaces — to gain footholds in critical sectors. For organisations in energy, telecoms and managed service providers this is a reminder that patching alone isn’t enough; secure configuration and monitoring of edge appliances and cloud-hosted appliances are now frontline defences.

Why should I read this?

Short answer: because attackers are skipping the fancy zero-day work and picking the stuff you probably forgot to lock down. If you run or secure network edge kit (especially in the energy sector or on cloud hosts), this is directly relevant — it shows where the real risk currently sits and what adversaries are prioritising.

Author style

Punchy: this is a wake-up call. The story isn’t just another vuln list — it shows a strategic pivot by a GRU-linked group toward the simplest, most effective routes in. If you care about infrastructure resilience, read the details and check your edge devices now.

Source

Source: https://therecord.media/russia-gru-hackers-target-energy-sector-sandworm