Amazon’s threat intelligence team has disclosed details of a “years-long” Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025.
Targets of the campaign included energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure. The activity has been attributed with high confidence to the GRU-affiliated APT44, which is also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear.
The activity is notable for using as initial access vectors misconfigured customer network edge devices with exposed management interfaces, as N-day and zero-day vulnerability exploitation activity declined over the time period – indicative of a shift in attacks aimed at critical infrastructure, the tech giant said.
“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, said.
The attacks have been found to leverage the following vulnerabilities and tactics over the course of five years –
- 2021-2022 – Exploitation of WatchGuard Firebox and XTM flaw (CVE-2022-26318) and targeting of misconfigured edge network devices
- 2022-2023 – Exploitation of Atlassian Confluence flaws (CVE-2021-26084 and CVE-2023-22518) and continued targeting of misconfigured edge network devices
- 2024 – Exploitation of Veeam flaw (CVE-2023-27532) and continued targeting of misconfigured edge network devices
- 2025 – Sustained targeting of misconfigured edge network devices
The intrusion activity, per Amazon, singled out enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.
These efforts are likely designed to facilitate credential harvesting at scale, given the threat actor’s ability to position themselves strategically on the network edge to intercept sensitive information in transit. Telemetry data has also uncovered what has been described as coordinated attempts aimed at misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure.
“Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software,” Moses said. “Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.”
In addition, Amazon said it observed credential replay attacks against victim organizations’ online services as part of attempts to obtain a deeper foothold into targeted networks. Although these attempts are assessed to be unsuccessful, they lend weight to the aforementioned hypothesis that the adversary is grabbing credentials from compromised customer network infrastructure for follow-on attacks.
The entire attack plays out as follows –
- Compromise the customer network edge device hosted on AWS
- Leverage native packet capture capability
- Gather credentials from intercepted traffic
- Replay credentials against the victim organizations’ online services and infrastructure
- Establish persistent access for lateral movement
The credential replay operations have targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East.
“The targeting demonstrates sustained focus on the energy sector supply chain, including both direct operators and third-party service providers with access to critical infrastructure networks,” Moses noted.
Interestingly, the intrusion set also shares infrastructure overlaps with another cluster tracked by Bitdefender under the name Curly COMrades, which is believed to be operating with interests that are aligned with Russia since late 2023. This has raised the possibility that the two clusters may represent complementary operations within a broader campaign undertaken by GRU.
“This potential operational division, where one cluster focuses on network access and initial compromise while another handles host-based persistence and evasion, aligns with GRU operational patterns of specialized subclusters supporting broader campaign objectives,” Moses said.
Amazon said it identified and notified affected customers, as well as disrupted active threat actor operations targeting its cloud services. Organizations are recommended to audit all network edge devices for unexpected packet capture utilities, implement strong authentication, monitor for authentication attempts from unexpected geographic locations, and keep tabs on credential replay attacks.
