Amazon Uncovers Russian Cyber Espionage Targeting Western Infrastructure

Amazon security experts revealed a multi-year cyber campaign from 2021 to 2025 by a Russian government-backed group targeting critical infrastructure in Western countries. The campaign aimed at energy companies, cloud-based network services, and other key sectors in North America, Europe, and the Middle East. The activity is linked with high confidence to the GRU-affiliated Advanced Persistent Threat group known as APT44, also referred to by names including FROZENBARENTS and Sandworm.

The intrusions evolved from exploiting software vulnerabilities to focusing on misconfigured network edge devices hosted within cloud environments. This shift reduced the use of new vulnerabilities, known as zero-day and N-day flaws, with attackers instead leveraging exposed management interfaces on routers and network appliances.

Over the years, the group exploited several vulnerabilities, including the WatchGuard Firebox and XTM flaw CVE-2022-26318 from 2021 to 2022, Atlassian Confluence vulnerabilities CVE-2021-26084 and CVE-2023-22518 during 2022-2023, and the Veeam flaw CVE-2023-27532 in 2024. The campaign continued to focus heavily on misconfigured network edge devices into 2025.

Amazon reported that the attackers targeted devices such as enterprise routers, VPN concentrators, network management systems, and cloud-based collaboration platforms. By compromising these devices, the threat actors intercepted network traffic to harvest credentials. They then performed credential replay attacks to access victim organizations’ online services and strengthen their network foothold.

“Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software,” said CJ Moses, Amazon Integrated Security Chief Information Security Officer. “Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.”

The attack process reportedly involved compromising cloud-hosted network edge devices, capturing network traffic, collecting credentials, replaying them to online services, and establishing persistent access for lateral network movement.

The campaign’s targeting highlights a focus on energy supply chains, including both direct operators and third-party service providers with network access to critical infrastructure. Additionally, infrastructure overlaps were noted with a related cluster known as Curly COMrades, suggesting coordinated subgroups within the broader GRU operation.

Amazon has notified affected users and disrupted ongoing threat activities impacting its cloud services. Organizations are advised to audit network edge devices for unauthorized packet capture tools, enforce strong authentication, monitor login attempts from unusual locations, and watch for credential replay incidents.

More on the WatchGuard Firebox vulnerability can be found here, and additional information on the campaign is detailed here.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Indian Rupee Hits Lifetime Low at 91.01 Against US Dollar
• Stablecoin Growth Slows Despite Rising Supply and Institutional Demand
• Tether’s USDT Growth Slows, Crypto Liquidity Tightens Ahead of Holidays
• React2Shell Vulnerability Exploited for Linux Malware Attacks
• SEC’s Atkins Warns Crypto Risks, Advocates Privacy Tools Amid Dip