Amazon security boss blames Russia’s GRU for years-long energy-sector hacks

Steven

Amazon security boss blames Russia’s GRU for years-long energy-sector hacks

Summary

Amazon’s CISO CJ Moses says Russia’s GRU has run a sustained campaign since 2021 targeting Western critical infrastructure — particularly the energy sector — by compromising misconfigured network edge devices and cloud-hosted virtual appliances on AWS. Attackers exploited known CVEs (WatchGuard CVE-2022-26318, Confluence CVE-2021-26084 & CVE-2023-22518, Veeam CVE-2023-27532), used packet capture and traffic analysis to gather credentials, and attempted credential-replay against online services. Amazon reports it has been disrupting the campaign, notifying affected customers, remediating compromised EC2 instances and sharing intelligence with partners and law enforcement.

Key Points

  • Amazon attributes a years-long campaign (2021–present) against energy, telecoms and tech suppliers to Russia’s GRU.
  • Attackers focused on misconfigured network edge devices and virtual appliances hosted in AWS, gaining persistent access to EC2 instances running appliance software.
  • Known exploited vulnerabilities include CVE-2022-26318 (WatchGuard), CVE-2021-26084 and CVE-2023-22518 (Confluence), and CVE-2023-27532 (Veeam).
  • Amazon observed credential-replay attempts; packet capture/traffic analysis is suspected as the credential-harvesting method.
  • There is overlap with activity tracked as Curly COMrades, suggesting a possible operational division consistent with GRU patterns.
  • AWS says it has been “continually disrupting” operations by notifying customers, remediating instances and sharing intel.
  • Immediate recommended actions: audit network edge devices, review authentication logs for credential reuse, and monitor appliance admin sessions from unexpected IPs.

Content Summary

The Amazon threat report outlines a persistent, evolving GRU campaign aimed at Western critical infrastructure, with a sustained focus on the energy sector. Rather than relying solely on zero-days, the attackers increasingly exploit misconfigurations in network edge devices and common enterprise software — a tactic that reduces the risk of detection. Compromised appliances running as virtual instances in AWS have been used to maintain persistent access, while attackers attempt to leverage harvested credentials elsewhere. Amazon links some infrastructure used in this activity to threats tracked by other vendors and provides concrete mitigations for organisations and OT owners.

Context and Relevance

This is important because many organisations run network appliances as virtual instances in the cloud, and misconfigurations remain a prevalent, high-impact attack vector. The explicit targeting of energy-sector suppliers elevates this from routine cybercrime to an issue with national-security implications: long-term access could be used for reconnaissance or disruptive operations. The report follows recent joint guidance from US and international agencies, so operators should treat Amazon’s recommendations as part of an urgent, industry-wide push to harden critical networks going into 2026.

Author note

Punchy: This isn’t background noise. Amazon maps a methodical, long-running GRU campaign and gives hands-on steps you can act on now. If you look after cloud-hosted network kit or OT, this piece amplifies why you should prioritise fixes.

Why should I read this?

Look — if your job touches networks, cloud or critical infrastructure, this saves you time. It flags a real, ongoing GRU campaign, shows how they get in (misconfigs and packet capture) and lists immediate steps to reduce risk. Read it so you don’t get caught out.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/15/amazon_ongoing_gru_campaign/