Amazon Exposes Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure
Summary:
Amazon Threat Intelligence has reported on a years-long campaign, spanning 2021-2025, conducted by a Russian state-sponsored actor strongly assessed to be Sandworm (also known as APT44 and Seashell Blizzard), linked to the GRU. The group has significantly evolved its Tactics, Techniques, and Procedures against Western critical infrastructure, particularly the energy sector. The campaign, active from 2021 to 2025, showcases a major tactical pivot in the Initial Access vector, moving away from resource-intensive Exploitation of N-day and zero-day vulnerabilities in favor of targeting Misconfigured Devices with exposed management interfaces. The threat actor achieves Credential Access by leveraging the strategic positioning of compromised customer network edge devices, often hosted on cloud platforms like AWS, to perform Traffic Interception of user authentication traffic. The actor then utilizes these harvested credentials in systematic Credential Replay Attacks against the victim organizations' online services and infrastructure to achieve Lateral Movement and persistent access. This approach minimizes the actor's exposure and resource expenditure while achieving the same strategic objectives.
Security Officer Comments:
The shift in TTPs highlights the actor's focus on operational efficiency and risk reduction. By prioritizing Initial Access via simple customer misconfigurations over vulnerability exploitation, the actor effectively lowers the risk of having their tradecraft or zero-day capabilities exposed. This is a concerning demonstration of threat actor adaptation, leveraging common network hygiene issues ("low-hanging fruit") for high-impact compromise. The subsequent Credential Access technique, strongly assessed to be Packet Capture based on the temporal gap between device compromise and credential use, allows the actor to steal high-value organizational credentials rather than just device credentials. Furthermore, the systematic Credential Replay attacks against targets in the energy, technology/cloud, and telecommunications sectors across global regions (North America, Europe, Middle East) underscore the broad strategic objective of Persistent Access to critical infrastructure supply chains. The reported infrastructure overlap with "Curly COMrades" suggests a potential for task specialization within the GRU operation, where a subcluster may specialize in the network-focused Initial Access and cloud pivot, feeding high-value access to another cluster focused on Host-Based Persistence and evasion, aligning with typical advanced persistent threat operational structures.
Suggested Corrections:
Immediate priority actions for 2026
Organizations should proactively monitor for evidence of this activity pattern:
1. Network edge device audit
2. Credential replay detection
3. Access monitoring
4. IOC review
Link(s):
https://thehackernews.com/2025/12/amazon-exposes-years-long-gru-cyber.html
Amazon Threat Intelligence has reported on a years-long campaign, spanning 2021-2025, conducted by a Russian state-sponsored actor strongly assessed to be Sandworm (also known as APT44 and Seashell Blizzard), linked to the GRU. The group has significantly evolved its Tactics, Techniques, and Procedures against Western critical infrastructure, particularly the energy sector. The campaign, active from 2021 to 2025, showcases a major tactical pivot in the Initial Access vector, moving away from resource-intensive Exploitation of N-day and zero-day vulnerabilities in favor of targeting Misconfigured Devices with exposed management interfaces. The threat actor achieves Credential Access by leveraging the strategic positioning of compromised customer network edge devices, often hosted on cloud platforms like AWS, to perform Traffic Interception of user authentication traffic. The actor then utilizes these harvested credentials in systematic Credential Replay Attacks against the victim organizations' online services and infrastructure to achieve Lateral Movement and persistent access. This approach minimizes the actor's exposure and resource expenditure while achieving the same strategic objectives.
Security Officer Comments:
The shift in TTPs highlights the actor's focus on operational efficiency and risk reduction. By prioritizing Initial Access via simple customer misconfigurations over vulnerability exploitation, the actor effectively lowers the risk of having their tradecraft or zero-day capabilities exposed. This is a concerning demonstration of threat actor adaptation, leveraging common network hygiene issues ("low-hanging fruit") for high-impact compromise. The subsequent Credential Access technique, strongly assessed to be Packet Capture based on the temporal gap between device compromise and credential use, allows the actor to steal high-value organizational credentials rather than just device credentials. Furthermore, the systematic Credential Replay attacks against targets in the energy, technology/cloud, and telecommunications sectors across global regions (North America, Europe, Middle East) underscore the broad strategic objective of Persistent Access to critical infrastructure supply chains. The reported infrastructure overlap with "Curly COMrades" suggests a potential for task specialization within the GRU operation, where a subcluster may specialize in the network-focused Initial Access and cloud pivot, feeding high-value access to another cluster focused on Host-Based Persistence and evasion, aligning with typical advanced persistent threat operational structures.
Suggested Corrections:
Immediate priority actions for 2026
Organizations should proactively monitor for evidence of this activity pattern:
1. Network edge device audit
- Audit all network edge devices for unexpected packet capture files or utilities.
- Review device configurations for exposed management interfaces.
- Implement network segmentation to isolate management interfaces.
- Enforce strong authentication (eliminate default credentials, implement MFA).
2. Credential replay detection
- Review authentication logs for credential reuse between network device management interfaces and online services.
- Monitor for authentication attempts from unexpected geographic locations.
- Implement anomaly detection for authentication patterns across your organization’s online services.
- Review extended time windows following any suspected device compromise for delayed credential replay attempts.
3. Access monitoring
- Monitor for interactive sessions to router/appliance administration portals from unexpected source IPs.
- Examine whether network device management interfaces are inadvertently exposed to the internet.
- Audit for plain text protocol usage (Telnet, HTTP, unencrypted SNMP) that could expose credentials.
4. IOC review
- Energy sector organizations and critical infrastructure operators should prioritize reviewing access logs for authentication attempts from the IOCs listed below.
Link(s):
https://thehackernews.com/2025/12/amazon-exposes-years-long-gru-cyber.html