Listen to this Post
A Long Campaign Hidden in Plain Sight
Amazon Threat Intelligence has revealed a sustained Russian state-backed cyber campaign that quietly targeted Western critical infrastructure for nearly half a decade. Spanning from 2021 through 2025, the operation focused heavily on the energy sector, not through flashy zero-day exploits, but through something far more dangerous: long-term access achieved by abusing misconfigured network edge devices. The findings expose how modern state-backed actors increasingly prioritize stealth, persistence, and operational safety over technical novelty, reshaping the threat landscape for critical infrastructure defenders.
the Original Report and Key Findings
Amazon Threat Intelligence documents a long-running campaign attributed with high confidence to the GRU-linked Sandworm group, also known as APT44 or Seashell Blizzard, targeting Western critical infrastructure across North America, Europe, and parts of the Middle East. The operation evolved significantly between 2021 and 2025. Early activity relied on exploiting known vulnerabilities in widely used enterprise products, including WatchGuard Firebox and XTM appliances, Atlassian Confluence servers, and Veeam backup systems, using publicly disclosed CVEs to gain initial access. Over time, however, the attackers shifted tactics. By 2025, exploitation of both zero-day and N-day vulnerabilities had sharply declined, replaced by systematic abuse of misconfigured network edge devices such as routers, VPN gateways, and management appliances. Many of these devices were hosted by customers on AWS EC2 instances, not due to any weakness in AWS itself, but because of exposed management interfaces and insecure configurations. Amazon’s telemetry revealed persistent connections from actor-controlled IP addresses to compromised instances, consistent with interactive access, packet capture, and data retrieval. The attackers harvested credentials by passively intercepting network traffic, then replayed those credentials to access cloud services and internal systems, enabling lateral movement across victim environments. Targets included energy providers, technology firms, telecom operators, and cloud-dependent organizations, with a strong emphasis on the energy supply chain. Infrastructure overlaps suggest coordination with a GRU-linked cluster tracked by Bitdefender as “Curly COMrades,” indicating a division of labor between network access specialists and host-level persistence operators. Amazon responded by notifying affected customers, remediating compromised instances, sharing intelligence with partners, and disrupting active operations to reduce the available attack surface.
What Undercode Say: Strategic Meaning Behind the Shift to Misconfiguration Abuse
The most important lesson from this campaign is not technical, it is strategic. Sandworm’s shift away from vulnerability exploitation toward abusing misconfigured edge devices signals a mature threat actor optimizing for longevity rather than headlines. Exploiting CVEs creates noise, attracts defenders, and forces patch cycles that eventually close doors. Misconfigurations, by contrast, are human problems, not software flaws, and they persist quietly across years of infrastructure changes.
From an operational standpoint, edge devices are perfect choke points. Routers, VPNs, and management appliances see everything. By compromising these systems, attackers gain visibility into authentication flows, internal traffic patterns, and privileged credentials without ever touching endpoints directly. Passive packet capture allows credential harvesting with minimal forensic footprint, aligning perfectly with Sandworm’s historical tradecraft of blending espionage with sabotage readiness.
The AWS angle is also frequently misunderstood. This campaign does not reflect a cloud provider failure, but rather the reality that cloud-hosted appliances inherit the same security weaknesses as on-prem hardware when misconfigured. Running a firewall or VPN inside an EC2 instance does not magically secure it. If management interfaces are exposed, attackers will find them, regardless of where they run.
The overlap with the Curly COMrades infrastructure is another critical signal. It suggests a modular GRU ecosystem where different subclusters specialize in access, persistence, and exploitation, sharing infrastructure and intelligence. This mirrors military doctrine more than traditional cybercrime operations. One unit opens doors, another maintains presence, another prepares follow-on effects. For energy sector targets, this structure is especially concerning, as it enables pre-positioning for potential future disruption during geopolitical escalation.
Perhaps the most alarming aspect is the timeline. This activity ran for years, largely undetected, across some of the most sensitive networks in the West. That implies that many organizations still treat edge devices as plumbing rather than strategic assets. Logging is minimal, monitoring is inconsistent, and ownership is often unclear. Sandworm exploited that blind spot with discipline and patience.
Defensively, the report underscores a hard truth. Patch management alone is no longer enough. Security programs that celebrate reduced vulnerability counts while ignoring exposed interfaces, weak authentication, and appliance-level telemetry are missing the real battlefield. Edge security must be treated as first-class security, with continuous configuration audits, strict access controls, and behavioral monitoring for persistent connections and anomalous traffic flows.
Fact Checker Results
✅ Attribution to GRU-linked Sandworm aligns with historical tradecraft and infrastructure overlaps.
✅ AWS was not compromised; customer misconfigurations enabled access.
❌ No evidence suggests this campaign relied primarily on zero-day exploits after 2023.
Prediction
📊 State-backed groups will increasingly abandon exploit-heavy campaigns in favor of low-noise misconfiguration abuse.
📊 Energy and telecom sectors will face growing pressure to secure edge devices as strategic assets.
📊 Cloud-hosted network appliances will become a primary battleground for long-term cyber espionage.
▶️ Related Video (82% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
