Amazon Disrupts Multi-Year Russian GRU Campaign Targeting Energy Sector

Amazon's threat intelligence team has disrupted active operations conducted by Russian military intelligence hackers targeting Western critical infrastructure, particularly organizations in the energy sector. The campaign, attributed to the notorious APT44 group also known as Sandworm or Seashell Blizzard, represents a significant tactical evolution in how Russian state-sponsored actors pursue their objectives.

A Multi-Year Campaign Exposed

The operation spans from 2021 through 2025, demonstrating the persistence and long-term strategic focus characteristic of Russian intelligence services. According to Amazon's analysis, the threat actors initially relied on exploiting vulnerabilities in products from vendors including WatchGuard, Confluence, and Veeam to gain initial footholds in target networks.

However, the campaign evolved significantly over time. Amazon's CISO CJ Moses noted that the attackers shifted their approach, moving away from sophisticated zero-day exploits toward targeting "the low-hanging fruit of likely misconfigured customer devices." This tactical pivot allowed them to achieve persistent access and credential harvesting objectives with less operational risk.

Targeting Methodology

The threat actors concentrated their efforts on enterprise network infrastructure, including:

• Enterprise routers and VPN gateways
• Network management appliances
• Collaboration platforms
• Cloud-based project management solutions

Specifically, the campaign targeted compromised customer-managed network appliances hosted on AWS EC2 instances. Evidence gathered by Amazon's researchers suggests the attackers conducted passive packet capturing and traffic interception operations designed to harvest credentials and sensitive data flowing through compromised infrastructure.

The group also leveraged legitimate compromised servers to proxy malicious traffic, making attribution and detection significantly more challenging for defenders.

Attribution and Actor Profile

Amazon assesses with high confidence that the attacks were conducted by Sandworm operatives, a unit within Russia's GRU military intelligence agency. The group has a long history of conducting destructive cyberattacks, including the NotPetya campaign that caused billions of dollars in global damages and multiple attacks against Ukrainian critical infrastructure.

The investigation revealed that the operation may involve multiple specialized subclusters working in coordination. One such group, tracked as "Curly COMrades," appears to handle post-compromise activities after initial access teams establish footholds.

Why This Matters

The shift from zero-day exploitation to targeting misconfigurations represents an important tactical evolution. While zero-days provide stealthy access, they are expensive to develop and quickly lose value once detected. Misconfigurations, by contrast, are abundant, persistent, and often go unnoticed even by security-conscious organizations.

For critical infrastructure operators, this means that basic security hygiene—properly configuring network devices, segmenting networks, and monitoring for anomalous traffic—has become just as important as patching against the latest vulnerabilities.

Recommended Mitigations

Amazon has provided several recommendations for organizations concerned about similar targeting:

Immediate Actions:

• Conduct comprehensive audits of network edge devices and their configurations
• Review and restrict administrative access to network appliances
• Enable multi-factor authentication on all management interfaces

Detection and Monitoring:

• Implement credential replay monitoring to detect stolen credential usage
• Enable AWS CloudTrail for comprehensive logging of API activity
• Deploy GuardDuty for threat detection across AWS environments
• Configure VPC Flow Logs to capture network traffic metadata

Long-term Improvements:

• Implement network segmentation to limit lateral movement opportunities
• Deploy endpoint detection and response (EDR) solutions on critical systems
• Establish baseline traffic patterns to identify anomalous communications

The disruption of this campaign demonstrates the value of threat intelligence sharing between private sector organizations and affected customers. However, given Sandworm's track record and resources, security teams should assume that similar operations are ongoing and prepare their defenses accordingly.