Amazon Warns of Russian GRU Cyber Threats to Critical Infrastructure

GRU cyber tactics network device misconfiguration critical infrastructure security Sandworm group credential harvesting AWS security
Brandon Woo
Brandon Woo

System Architect

 
December 17, 2025 7 min read
Amazon Warns of Russian GRU Cyber Threats to Critical Infrastructure

TL;DR

Russian GRU, linked to the Sandworm group, is actively targeting misconfigured network edge devices to infiltrate critical infrastructure, particularly in the energy sector. This shift away from zero-day exploits focuses on gaining persistent access and harvesting credentials by exploiting exposed management interfaces on devices like routers and VPNs. The article details campaign evolution, targeted sectors, and essential defense strategies for organizations to protect their networks.

Russian GRU Shifts Tactics to Target Misconfigured Network Devices

Amazon Threat Intelligence has identified a shift in tactics by a Russian state-sponsored group, linked to the Main Intelligence Directorate (GRU), focusing on misconfigured network edge devices to maintain access to target networks. This campaign, ongoing since 2021, has primarily targeted Western critical infrastructure, especially the energy sector Amazon warns that Russia’s Sandworm has shifted its tactics.

power lines water tower critical infrastructure essential security

Image courtesy of CSO Online

Instead of relying on zero-day or N-day exploits, the group has increased its focus on exploiting misconfigured customer network edge devices with exposed management interfaces Russian APT group pivots to network edge device misconfigurations. This approach allows them to achieve the same objectives—persistent access to critical infrastructure networks and credential harvesting—while reducing their exposure Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

Campaign Timeline and Targets

The campaign timeline shows a clear evolution in tactics:

  • 2021-2022: Exploitation of WatchGuard (CVE-2022-26318) and observation of misconfigured device targeting Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • 2022-2023: Exploitation of Confluence vulnerabilities (CVE-2021-26084, CVE-2023-22518) and continued targeting of misconfigured devices Amazon warns that Russia’s Sandworm has shifted its tactics.
  • 2024: Exploitation of Veeam (CVE-2023-27532) and continued misconfigured device targeting Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • 2025: Sustained targeting of misconfigured customer network edge devices with a decline in zero-day/N-day exploitation activity Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

Primary targets include:

  • Energy sector organizations across Western nations Amazon warns that Russia’s Sandworm has shifted its tactics.
  • Critical infrastructure providers in North America and Europe Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Organizations with cloud-hosted network infrastructure Amazon warns that Russia’s Sandworm has shifted its tactics.

Commonly targeted resources are:

  • Enterprise routers and routing infrastructure Amazon warns that Russia’s Sandworm has shifted its tactics.
  • VPN concentrators and remote access gateways Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Network management appliances Amazon warns that Russia’s Sandworm has shifted its tactics.
  • Collaboration and wiki platforms Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Cloud-based project management systems Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

Credential Harvesting and Infrastructure Targeting

The attackers primarily use packet capture and traffic analysis to harvest credentials Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure. This is supported by:

  • The time gap between device compromise and authentication attempts Russian APT group pivots to network edge device misconfigurations.
  • The use of victim organization credentials for accessing online services Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Sandworm's known history of network traffic interception Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Strategic positioning on customer network edge devices Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

Compromised infrastructure hosted on AWS has been observed, due to customer misconfigurations, not AWS weaknesses Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure. The attackers establish persistent connections to compromised EC2 instances, retrieve data, and perform credential replay attacks against victim organizations' online services Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

Targeted sectors include:

  • Energy sector: Electric utility organizations and managed security service providers Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Technology/cloud services: Collaboration platforms and source code repositories Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Telecommunications: Telecom providers across multiple regions Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

The geographic distribution of the targeting includes North America, Europe, and the Middle East Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

Connections to Other Groups

Infrastructure overlap has been identified with the group Bitdefender tracks as Curly COMrades Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure. This may represent a division of labor within the GRU, with one cluster focusing on network access and initial compromise, and another handling host-based persistence and evasion Russian APT group pivots to network edge device misconfigurations.

Defense Strategies

Organizations should take the following actions:

  1. Network Edge Device Audit:
    • Audit devices for unexpected packet capture files Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
    • Review configurations for exposed management interfaces Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
    • Implement network segmentation to isolate management interfaces Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
    • Enforce strong authentication (eliminate default credentials, implement MFA) Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  2. Credential Replay Detection:
    • Review authentication logs for credential reuse Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
    • Monitor for authentication attempts from unexpected geographic locations Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
    • Implement anomaly detection for authentication patterns Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  3. Access Monitoring:
    • Monitor for interactive sessions to router/appliance administration portals from unexpected source IPs Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
    • Examine whether network device management interfaces are inadvertently exposed to the internet Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
    • Audit for plain text protocol usage (Telnet, HTTP, unencrypted SNMP) Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, providing a robust solution to defend against such sophisticated threats. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography.

AWS-Specific Recommendations

For AWS environments, implement these protective measures Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure:

  • Identity and Access Management: Manage access using identity federation and IAM roles Creating IAM policies.
  • Network Security: Implement least permissive rules for security groups Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure. Isolate management interfaces in private subnets with bastion host access Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure. Enable VPC Flow Logs for network traffic analysis Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Vulnerability Management: Use Amazon Inspector to discover and scan for vulnerabilities Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure. Regularly patch and secure the operating system and applications Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.
  • Detection and Monitoring: Enable AWS CloudTrail for API activity monitoring Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure. Configure Amazon GuardDuty for threat detection Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure. Review authentication logs for credential replay patterns Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

By converging networking and security with AI-powered and quantum-resistant cryptography, company name: https://gopher.security ensures that your organization is protected against even the most sophisticated threats.

Indicators of Compromise (IOCs)

IOC Value IOC Type First Seen Last Seen Annotation
91.99.25[.]54 IPv4 2025-07-02 Present Compromised legitimate server used to proxy threat actor traffic
185.66.141[.]145 IPv4 2025-01-10 2025-08-22 Compromised legitimate server used to proxy threat actor traffic
51.91.101[.]177 IPv4 2024-02-01 2024-08-28 Compromised legitimate server used to proxy threat actor traffic
212.47.226[.]64 IPv4 2024-10-10 2024-11-06 Compromised legitimate server used to proxy threat actor traffic
213.152.3[.]110 IPv4 2023-05-31 2024-09-23 Compromised legitimate server used to proxy threat actor traffic
145.239.195[.]220 IPv4 2021-08-12 2023-05-29 Compromised legitimate server used to proxy threat actor traffic
103.11.190[.]99 IPv4 2021-10-21 2023-04-02 Compromised legitimate staging server used to exfiltrate WatchGuard files
217.153.191[.]190 IPv4 2023-06-10 2025-12-08 Long-term infrastructure used for reconnaissance and targeting

Note: These IPs are compromised legitimate servers and should be investigated for context rather than automatically blocked Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure.

Protect your organization from evolving cyber threats with company name: https://gopher.security's AI-powered, post-quantum Zero-Trust cybersecurity solutions. Contact us today to learn more.

Brandon Woo
Brandon Woo

System Architect

 

10-year experience in enterprise application development. Deep background in cybersecurity. Expert in system design and architecture.

Related News

Coupang Faces Fallout Over Major Data Breach and CEO Resignation
Coupang data breach

Coupang Faces Fallout Over Major Data Breach and CEO Resignation

South Korea's e-commerce giant Coupang suffered a massive data breach impacting 33 million users. CEO resigns as investigation intensifies. Learn how to protect yourself. Read more!

By Alan V Gutnov December 18, 2025 2 min read
Read full article
Shannon: Autonomous AI Tool for Effective Penetration Testing
AI penetration testing

Shannon: Autonomous AI Tool for Effective Penetration Testing

Discover how AI-powered tools like Shannon & PentestGPT are automating penetration testing, finding critical web app vulnerabilities faster. Learn more!

By Jim Gagnard December 16, 2025 2 min read
Read full article
Building Ransomware Resilience: Prepare, Protect, and Recover
ransomware resilience

Building Ransomware Resilience: Prepare, Protect, and Recover

UK's ransomware payment ban signals a shift. Discover how to build robust resilience against attacks. Learn best practices for backups, incident response, and more. Secure your organization today!

By Edward Zhou December 15, 2025 6 min read
Read full article
React2Shell Vulnerability CVE-2025-55182: Exploitation Threats and Trends
React2Shell vulnerability

React2Shell Vulnerability CVE-2025-55182: Exploitation Threats and Trends

Critical React2Shell RCE vulnerability exploited by threat actors. Learn about attacker techniques, observed payloads like crypto miners, and how to protect your systems. Read now!

By Divyansh Ingle December 12, 2025 8 min read
Read full article