Amazon Threat Intelligence detailed a prolonged Russian state-sponsored campaign that marked a notable shift in tactics for targeting critical infrastructure, with a particular focus on the energy sector. In this evolution, misconfigured customer network edge devices have become the primary entry point, while the exploitation of vulnerabilities has decreased. The shift allows the attackers to achieve similar operational objectives, such as credential harvesting and lateral movement into victim organizations’ online services and infrastructure, while minimizing their exposure and resource consumption.
The main targets of the campaign are energy sector organizations in Western nations, critical infrastructure providers in North America and Europe, and organizations utilizing cloud-hosted network infrastructure. The campaign commonly targets enterprise routers and routing infrastructure. It also focuses on VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.
“Going into 2026, organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat,” C.J. Moses, CISO of Amazon Integrated Security, wrote in a AWS Blogs post this week. “Based on infrastructure overlaps with known Sandworm (also known as APT44 and Seashell Blizzard) operations observed in Amazon’s telemetry and consistent targeting patterns, we assess with high confidence this activity cluster is associated with Russia’s Main Intelligence Directorate (GRU).”
He added that the campaign demonstrates sustained focus on Western critical infrastructure, particularly the energy sector, with operations spanning 2021 through the present day.
Moses highlighted that the targeting demonstrates a sustained focus on the energy sector supply chain, including both direct operators and third-party service providers with access to critical infrastructure networks. He explained that the campaign flow begins with the compromise of a customer network edge device hosted on AWS.
The attackers then leverage the native packet capture capability of the device to harvest credentials from intercepted traffic. These credentials are subsequently replayed against the victim organizations’ online services and infrastructure. Finally, the attackers establish persistent access, allowing for lateral movement within the compromised networks.
Amazon Threat Intelligence observed sustained targeting of global infrastructure between 2021 and 2025, with a particular focus on the energy sector. Over this period, the campaign showed a clear and deliberate evolution in tactics.
Between 2021 and 2022, Amazon MadPot detected exploitation of WatchGuard devices through CVE-2022-26318, alongside early signs of targeting misconfigured devices. During 2022 and 2023, the activity expanded to include the exploitation of Confluence vulnerabilities, including CVE-2021-26084 and CVE-2023-22518, while misconfigured device targeting continued.
In 2024, the campaign exploited Veeam using CVE-2023-27532, again without abandoning its focus on misconfigured infrastructure. By 2025, the activity had shifted further, with sustained targeting of misconfigured customer network edge devices and a noticeable decline in the use of N-day and zero-day vulnerability exploitation.
Moses highlighted that Amazon’s telemetry reveals coordinated operations against customer network edge devices hosted on AWS. “This was not due to a weakness in AWS; these appear to be customer misconfigured devices. Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software. Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.”
“Beyond direct victim infrastructure compromise, we observed systematic credential replay attacks against victim organizations’ online services,” Moses added. “In observed instances, the actor compromised customer network edge devices hosted on AWS, then subsequently attempted authentication using credentials associated with the victim organization’s domain against their online services. While these specific attempts were unsuccessful, the pattern of device compromise followed by authentication attempts using victim credentials supports our assessment that the actor harvests credentials from compromised customer network infrastructure for replay against target organizations’ online services.”
The actor infrastructure accessed victims’ authentication endpoints for multiple organizations across critical sectors through 2025. In the energy sector, the campaign targeted electric utility organizations, energy providers, and managed security service providers specializing in energy sector clients. In the technology and cloud services sector, the focus was on collaboration platforms and source code repositories. Additionally, telecom providers across multiple regions were also targeted in the campaign.
Amazon Threat Intelligence identified threat actor infrastructure overlap with group Bitdefender tracks as ‘Curly COMrades.’ The assessment suggests that these may represent complementary operations within a broader GRU campaign. Bitdefender’s reporting highlighted post-compromise host-based tradecraft, including Hyper-V abuse for EDR evasion and the use of custom implants like CurlyShell and CurlCat. Amazon’s telemetry provided insights into the initial access vectors and the methodology used for pivoting within cloud environments.
Moses wrote, “This potential operational division, where one cluster focuses on network access and initial compromise while another handles host-based persistence and evasion, aligns with GRU operational patterns of specialized subclusters supporting broader campaign objectives.”
Immediate priority actions for 2026 should focus on proactively monitoring for this activity pattern across the organization. This begins with a thorough audit of all network edge devices to identify any unexpected packet capture files or utilities and to review configurations for exposed management interfaces. Organizations should isolate management interfaces through proper network segmentation and enforce strong authentication by eliminating default credentials and implementing multi-factor authentication.
Credential replay detection is also critical. Security teams should review authentication logs for signs of credential reuse between network device management interfaces and online services, monitor for login attempts originating from unexpected geographic locations, and deploy anomaly detection to identify unusual authentication patterns across online services. Extended monitoring periods are essential after any suspected device compromise to catch delayed credential replay attempts.
Access monitoring should include tracking interactive sessions to router and appliance administration portals, especially those originating from unexpected source IP addresses. Organizations should verify that network device management interfaces are not inadvertently exposed to the internet and audit for the use of plain-text protocols such as Telnet, HTTP, or unencrypted SNMP that could leak credentials.
Finally, energy sector organizations and other critical infrastructure operators should prioritize reviewing access logs and indicators of compromise, with a particular focus on authentication attempts that may signal ongoing or follow-on activity.
Amazon remains committed to protecting customers and the broader internet ecosystem by actively investigating and disrupting sophisticated threat actors. As part of its immediate response, the company identified and notified affected customers whose network appliance resources had been compromised. It also enabled rapid remediation of impacted EC2 instances and shared relevant intelligence with industry partners and affected vendors. In addition, Amazon reported its observations to network appliance vendors to support ongoing security investigations.
Through these coordinated efforts, Amazon has disrupted active threat actor operations since the activity was first identified and reduced the available attack surface for this specific threat activity subcluster. The company stated it will continue working closely with the security community to share intelligence and collectively defend against state-sponsored threats targeting critical infrastructure.
Earlier this month, Amazon disclosed observing active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda, within hours of the public disclosure of CVE-2025-55182 (React2Shell) on Dec. 3, 2025. The critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0, affecting React versions 19.x and Next[dot]js versions 15.x and 16.x when using App Router.
link