Russia’s GRU hackers targeting misconfigured network edge devices in attacks on energy sector, Amazon says

While targeting Western energy companies, prominent Russian government hackers have switched from breaching organizations through novel vulnerabilities to targeting misconfigured network edge devices, according to security researchers from Amazon. 

CJ Moses, CISO of Amazon Integrated Security, told Recorded Future News in an interview that the number of victim organizations is more than 10 and attributed the attacks to a well-known hacking operation known as APT44. Referred to colloquially as Sandworm or Seashell Blizzard, the group has been tied by U.S. officials to Russia’s Main Intelligence Directorate (GRU).

Moses said Amazon began tracking the campaign in 2021 and saw that it focused on Western critical infrastructure, particularly the energy sector. Amazon was able to detect the campaigns through its large network of honeypots that it calls Amazon MadPot. 

Data Amazon obtained showed “coordinated operations against customer network edge devices hosted on AWS.”

“This was not due to a weakness in AWS; these appear to be customer misconfigured devices,” Moses claimed. 

The campaign followed a similar pattern: hackers would compromise a customer network edge device hosted on AWS, steal credentials from intercepted traffic, use the information against victim online services and infrastructure before then establishing persistent access that enabled lateral movement. 

In a press briefing this week, Amazon officials said the years-long campaign “represents a significant evolution in critical infrastructure targeting: a tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined.” 

“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” the experts said.

Amazon researchers said the hackers accessed endpoints for multiple sectors in 2025, including electric utility organizations, energy providers and managed security service providers specializing in energy sector clients.

The campaign also involved attacks targeting telecom providers and technology companies. 

Amazon says it notified affected customers if they found compromised network appliances and shared its findings with industry partners as well as affected vendors. 

Amazon researchers found that the same group previously used novel vulnerabilities for years before switching to exploiting misconfigured customer network edge devices in 2025 

From 2021 to 2022, the hackers exploited CVE-2022-26318 — a bug impacting a popular line of firewalls from WatchGuard. The next year, GRU attackers used CVE-2021-26084 and CVE-2023-22518 which affect the Confluence Data Center and Confluence Server products. 

By 2024, the group shifted to exploiting vulnerabilities from software company Veeam, including CVE-2023-27532, before targeting “misconfigured customer network edge devices” in 2025, according to Amazon.

Both nation-states and cybercriminals have long targeted the “low-hanging fruit” of misconfigured devices with exposed management interfaces — either for persistent access to critical infrastructure networks or for credential harvesting.

The practice, according to Amazon, is in part to reduce the amount of financial investment needed to find and develop zero-day or N-day vulnerabilities. 

Although Amazon did not provide details about the victims, they said the time gap between devices being compromised and attempted intrusions likely indicates the hackers were interested in passive information collection rather than active credential theft. 

The hacking group has previously been accused of targeting critical infrastructure and energy companies globally, particularly in Ukraine. Sandworm, which researchers have tied to Russian Military Intelligence Unit 74455, has been active since at least 2013 and is responsible for some of Russia’s most high-profile destructive attacks, including KillDisk and FoxBlade as well as headline-grabbing incidents like NotPetya and Prestige. 

Aaron Beardslee, a security expert at Securonix, said Amazon’s findings are representative of a wider cultural shift within the cybersecurity industry. 

Security teams have gotten dramatically better at vulnerability management, patch cycles have compressed from months to weeks, cyber protection platforms now catch exploitation artifacts reliably, he said. 

According to Beardslee, threat intelligence sharing means exploits have shorter useful life spans before defenders adapt. 

“The result is that traditional exploitation now requires more resources, carries higher detection risk and yields diminishing returns. So sophisticated actors did what sophisticated actors do: they pivoted to the path of least resistance,” he said. 

“This shift isn’t a failure of security programs; it’s evidence they’re working. Defenders made the traditional exploitation model too expensive and too risky, so attackers adapted. The problem is that configuration security has been treated as operational housekeeping instead of a critical security control, and that needs to change immediately.”