Amazon confirms years-long Russian cyberattack against AWS and its users

Amazon Web Services (AWS), Amazon’s cloud web hosting platform which provides online services to millions of customers, has been under attack by Russian state actors for 5 years, according to a new update from the company.

Earlier this week, Amazon Threat Intelligence shared an update to the AWS website that detailed the years-long cyber attack campaign against the platform by a Russian cyber threat group. Amazon’s team dissected the attack and discovered a link to a threat actor known as Sandworm, which is associated with Russia’s GRU military intelligence agency.

“The campaign demonstrates sustained focus on Western critical infrastructure, particularly the energy sector, with operations spanning 2021 through the present day,” CJ Moses of Amazon Threat Intelligence said in the post.

According to Amazon, the attack focused on “energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and organizations with cloud-hosted network infrastructure.” Amazon says the campaign targeted “‘low-hanging fruit’ of likely misconfigured customer devices” which likely enabled the attacks to continue on for so long.

Moses says that this attack “represents a significant evolution in critical infrastructure targeting” and called it a “tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined.”

Basically, as much as Amazon can do to patch exploits, the threat will continue to exist in some form because the bad actors are weaponizing misconfigured devices on the end of AWS’ customers.

Amazon says it has immediately remediated compromised infrastructure and notified affected customers. Going into the new year, Amazon is recommending that its customers monitor and audit network devices and remain vigilant as attacks are ongoing.