Amazon says it has disrupted active hacking operations linked to the Russian military intelligence agency known as the GRU.
According to Amazon’s Threat Intelligence team, the attackers were targeting customer cloud environments, with a strong focus on Western critical infrastructure, especially organizations in the energy sector.
Amazon observed that the campaign began around 2021 and continued for several years. During the early stages, the attackers relied heavily on exploiting software vulnerabilities, including both zero-day and known flaws, to gain access to victim systems. These attacks targeted products such as WatchGuard devices, Atlassian Confluence servers, and Veeam backup software.
Over time, the attackers changed their approach. By 2025, they were exploiting fewer vulnerabilities and instead focused on misconfigured network edge devices. These included enterprise routers, VPN gateways, network management tools, collaboration platforms, and cloud-based project management systems that had exposed management interfaces.
CJ Moses, Amazon’s Chief Information Security Officer for Integrated Security, said the attackers shifted toward what he described as “low-hanging fruit.” By targeting poorly configured devices, the group could still achieve its main goals, which include maintaining long-term access to sensitive networks and stealing credentials, without investing as much effort into finding new software flaws.
Amazon noted that while the attackers had been abusing misconfigurations since at least 2022, their focus on this method became much more consistent in 2025. At the same time, they reduced their use of zero-day and recently disclosed vulnerabilities. Despite this tactical change, Amazon says the group’s objectives remained the same, which were to quietly move through victim networks, steal credentials, and avoid detection.
Based on attack patterns and shared infrastructure, Amazon believes with high confidence that the activity is connected to GRU-linked hacking groups, including Sandworm, also known as APT44 or Seashell Blizzard, and another group called Curly COMrades. Amazon assesses that Curly COMrades may be responsible for activity that takes place after initial access, operating as part of a larger GRU campaign made up of multiple specialized teams.
Although Amazon did not directly observe how data was stolen, the company says there are strong signs that the attackers used passive techniques such as packet capture and traffic interception. This conclusion is based on delays between when devices were compromised and when stolen credentials were later used, as well as the abuse of legitimate organizational login details.
The compromised systems were customer-managed network appliances running on Amazon EC2 instances. Amazon emphasized that the attacks did not exploit vulnerabilities in AWS services themselves. After identifying the activity, Amazon took steps to protect affected EC2 instances and notified impacted customers. The company also shared intelligence with vendors and industry partners to help reduce further risk.
Amazon stated that coordinated efforts have already disrupted the attackers’ operations and reduced the available attack surface. The company shared a list of IP addresses linked to the campaign but warned organizations not to block them automatically, as the servers belong to legitimate systems that were hijacked by the attackers to hide their traffic.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Looking ahead, Amazon recommends that organizations prioritize auditing their network devices, closely monitor for credential reuse, and keep a close eye on access to administrative portals. For AWS environments, Amazon advises isolating management interfaces, tightening security group rules, and enabling monitoring tools such as CloudTrail, GuardDuty, and VPC Flow Logs to improve visibility and detection.
