Amazon Exposes Long-Running Sandworm Cyber Campaign Targeting Western Critical Infrastructure

Listen to this Post

Featured ImageIntroduction: A Quiet but Dangerous Shift in Russian Cyber Warfare

Western critical infrastructure has spent years preparing for headline-grabbing zero-day exploits and sophisticated malware campaigns. Yet new intelligence from Amazon Threat Intelligence reveals a far more subtle and arguably more dangerous evolution in Russian state-sponsored cyber operations. Instead of chasing complex vulnerabilities, Russian military-linked hackers are increasingly exploiting something far more common and overlooked: misconfigured network devices.

This campaign, active since at least 2021 and still ongoing, reflects a strategic shift by Russia’s Main Intelligence Directorate (GRU). By abusing weak configurations rather than advanced exploits, attackers reduce operational risk, improve stealth, and preserve long-term access to sensitive environments. The findings highlight a growing blind spot in Western cyber defense strategies—one that defenders must urgently address as 2026 approaches.

Amazon’s Discovery of a Persistent GRU Campaign

Amazon Threat Intelligence has uncovered a sustained cyber espionage operation attributed with high confidence to the GRU’s notorious Sandworm unit, also known as APT44 or Seashell Blizzard. This group has a long history of disruptive cyber operations, including attacks on Ukrainian power grids and destructive malware campaigns across Europe.

The newly revealed activity demonstrates a more restrained but deeply strategic approach. Rather than deploying destructive payloads, the attackers focused on persistent access, credential harvesting, and long-term surveillance of critical infrastructure networks.

Amazon’s telemetry revealed infrastructure overlap between this campaign and a previously documented operation by Bitdefender known as “Curly COMrades.” The shared tooling, infrastructure, and operational patterns strongly suggest a coordinated GRU effort aimed primarily at the global energy sector, with spillover into telecommunications and cloud service providers.

Targeting the Network Edge Instead of Vulnerabilities

Between 2021 and 2023, the Sandworm-linked actors relied on exploiting known vulnerabilities in widely deployed enterprise software and appliances. These included flaws in WatchGuard firewalls, Atlassian Confluence servers, and Veeam backup systems. While effective, such exploits carried growing risks as detection tools improved and patch cycles accelerated.

By 2024, Amazon observed a decisive tactical shift. The attackers increasingly abandoned vulnerability exploitation in favor of abusing misconfigured network edge devices. These systems—often routers, firewalls, VPN gateways, or cloud-based instances—were exposed to the internet through weak passwords, default credentials, outdated firmware, or open administrative interfaces.

This method allowed attackers to gain access without triggering alarms commonly associated with exploit attempts. In many cases, the devices were already trusted components of enterprise networks, enabling seamless lateral movement once compromised.

How Misconfiguration Abuse Enables Stealthy Access

Misconfigured network devices offer attackers a unique advantage: legitimacy. When an attacker logs in using valid credentials or accesses an open management interface, their activity blends into normal administrative traffic. This dramatically lowers the likelihood of detection.

Amazon’s analysis found that compromised edge devices hosted on AWS were used to establish long-term, low-noise connections to attacker-controlled IP addresses. These connections enabled passive monitoring of network traffic, allowing the attackers to intercept authentication data without deploying traditional malware.

Importantly, Amazon confirmed that AWS infrastructure itself was not compromised. Instead, the attackers exploited customers’ improperly configured EC2 instances and network devices running within AWS environments.

This passive surveillance approach aligns closely with Sandworm’s known tradecraft, which emphasizes stealth, patience, and intelligence collection over immediate disruption.

Credential Harvesting and Replay Attacks

Once authentication data was collected, the attackers used stolen credentials in replay attacks against a wide range of online services. Targets included energy companies, telecommunications firms, and cloud service providers across North America, Europe, and the Middle East.

The stolen credentials allowed attackers to authenticate as legitimate users, bypassing perimeter defenses entirely. In some cases, this access could enable long-term espionage, infrastructure mapping, or preparation for future disruptive operations.

Amazon’s analysts noted that packet capture and traffic analysis were central to this operation. By quietly observing network flows rather than interacting aggressively with systems, the attackers minimized forensic footprints while maintaining deep visibility into victim environments.

Overlapping Infrastructure Confirms GRU Coordination

The infrastructure overlap between Amazon’s findings and Bitdefender’s Curly COMrades reporting is a critical detail. Shared command-and-control nodes, hosting patterns, and operational timelines suggest that these were not isolated campaigns but components of a broader GRU intelligence effort.

This coordination reinforces the conclusion that Russia is investing heavily in persistent access operations against Western critical infrastructure. Rather than seeking immediate disruption, the focus appears to be on positioning—ensuring access is available when geopolitical conditions demand it.

Such access could later be leveraged for sabotage, disinformation, or coercive cyber operations during periods of heightened international tension.

Amazon’s Response and Mitigation Efforts

Amazon worked closely with affected customers and security partners to address the compromises. This included notifying impacted organizations, assisting with remediation, and cutting off attacker access where possible.

The company emphasized the importance of auditing network-edge devices, particularly those exposed to the internet. Key recommendations include isolating management interfaces, enforcing multi-factor authentication, and closely reviewing authentication logs for signs of credential reuse or anomalous access patterns.

For AWS customers specifically, Amazon advised adopting identity federation with IAM roles, applying least-privilege security group rules, and enabling services such as Amazon Inspector and GuardDuty for continuous threat detection.

A Strategic Warning for 2026 Defenders

The campaign underscores a broader shift in Russian cyber strategy. Instead of expending resources on zero-day exploits that may be quickly patched or detected, attackers are exploiting the human and operational weaknesses that persist in most enterprise environments.

Misconfigurations are widespread, difficult to inventory, and often deprioritized in security programs focused on vulnerability management. This makes them an ideal attack surface for patient, state-sponsored actors seeking long-term access.

As critical infrastructure becomes increasingly digitized and cloud-connected, the network edge will remain a high-value target. Defenders must treat configuration hygiene as a strategic priority, not a routine maintenance task.

What Undercode Say: The Real Risk Isn’t Sophistication, It’s Complacency

The most unsettling aspect of Amazon’s findings is not the technical complexity of the campaign, but its simplicity. Sandworm’s evolution reflects a mature understanding of modern enterprise environments: defenders are excellent at chasing vulnerabilities, but far less effective at enforcing consistent configuration discipline.

This campaign demonstrates that advanced threat actors no longer need zero-days to penetrate critical systems. They only need patience and a deep understanding of how real-world networks are mismanaged over time.

Misconfigured edge devices are the perfect espionage platform. They sit at the intersection of trust and exposure, often monitored less aggressively than servers or endpoints. Once compromised, they provide unparalleled visibility into authentication flows, internal services, and administrative behavior.

The use of passive traffic collection is particularly telling. This approach avoids the noise of malware deployment and minimizes indicators of compromise. It also allows attackers to harvest credentials that remain valid even after systems are patched or rebuilt.

From a strategic perspective, this aligns with Russia’s broader doctrine of persistent confrontation below the threshold of armed conflict. Maintaining access to energy grids, telecom networks, and cloud platforms offers leverage that can be exercised—or merely implied—during geopolitical crises.

Defenders must also recognize that cloud environments do not inherently eliminate traditional security failures. Misconfigurations migrate to the cloud just as easily as workloads do. Identity sprawl, over-permissive rules, and exposed management interfaces are cloud-era versions of old mistakes.

Looking ahead, the danger lies in normalization. As organizations grow accustomed to living with minor misconfigurations, attackers will continue to exploit them at scale. Security teams must elevate configuration management, identity hygiene, and continuous monitoring to the same priority level as vulnerability patching.

Ultimately, this campaign is less a story about Russian innovation and more a mirror reflecting Western defensive gaps. Until those gaps are closed, sophisticated adversaries will continue to win using surprisingly unsophisticated methods.

Fact Checker Results

✅ Attribution to GRU-linked Sandworm aligns with multiple independent intelligence sources
✅ Technical details are consistent with known Sandworm surveillance tradecraft
❌ No public evidence suggests AWS core infrastructure was compromised

Prediction

🔍 Misconfiguration-based attacks will outpace zero-day exploitation in critical infrastructure targeting
⚠️ Credential replay attacks will become a dominant post-compromise technique
🛡️ Configuration auditing and identity security will define defensive success in 2026

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon