Escalating concerns about digital security, Amazon Threat Intelligence on Monday identified a renewed Russian-led campaign targeting Western critical infrastructure, singling out organizations in the energy sector. The findings highlight a tactical evolution, as state-sponsored actors now focus on misconfigured infrastructure rather than exploiting known software vulnerabilities. This ongoing campaign, initiated in 2021, points to persistent efforts by Russia’s Main Intelligence Directorate (GRU)-linked attackers to destabilize vital systems using new methods. Companies operating in electric utilities, energy provision, and managed security face heightened risk from these sophisticated threats. Amazon’s response has included direct customer alerts, collaborative intelligence sharing, and remediation of compromised Amazon EC2 instances, signaling the growing importance of cloud security readiness for businesses relying on cloud infrastructure.
Earlier reports discussed Russia-linked incursions largely in the context of exploiting zero-day vulnerabilities in products such as WatchGuard, Confluence, and Veeam. Previously, industry analysis emphasized technical flaws and patch cycles as the main threat vectors. Recent developments underscore a pivot in tactics, as attackers find cost-effective opportunities by seeking out system misconfigurations on cloud-based network edge devices. This shift has prompted network operators to scrutinize device setups more closely, broadening defensive strategies beyond simply patching software bugs.
Which Tactics Are Russian Groups Now Using?
Security researchers state that the Russian-linked collective, operating under aliases Sandworm, APT44, and Seashell Blizzard, now prioritizes accessing misconfigured network edge devices, especially those hosted on Amazon Web Services. Rather than depend solely on vulnerabilities like CVE-2022-26318, CVE-2021-26084, CVE-2023-22518, and CVE-2023-27532 affecting brands like WatchGuard, Confluence, and Veeam, attackers scan for incorrectly configured devices that provide footholds into sensitive networks. This adjustment enables the group to maintain persistent access to targeted environments while reducing operational risks.
What Types of Organizations Are Being Targeted?
Amazon confirms that the threat group’s campaign is not limited to energy companies but also encompasses telecom providers, organizations with cloud-based infrastructure, and collaboration software users across North America and Europe. Entities handling critical data, such as managed security service providers, face particular exposure. The attackers commonly use compromised network edge devices as entry points, then harvest credentials and seek lateral movement by targeting downstream systems and services within the victim’s IT ecosystem.
How Are Affected Companies and AWS Responding?
Amazon indicates that it has intervened by remediating affected EC2 instances, announcing that intelligence is also being shared with partners and vendors to assist ongoing investigations. According to company leadership, the threat is rooted more in customer misconfiguration than in security flaws within AWS itself.
“While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,”
said CJ Moses, Chief Information Security Officer of Amazon Integrated Security. He clarified,
“The actor accomplishes this while significantly reducing the risk of exposing their operations through more detectable vulnerability exploitation activity.”
Sandworm’s ongoing focus on Western utilities and critical infrastructure signals a consistent strategic intent from Russia’s GRU-linked units. Documented incidents include successful cyber disruptions of Ukrainian power grids and attempts to interfere with government institutions and electoral systems in multiple countries. The continued development of attack methods to include credential theft through misconfigured cloud appliances means organizations must pay attention not only to patch management but also to configuration management on cloud deployments.
Companies leveraging Amazon Web Services and similar platforms must rigorously audit and monitor network edge device configurations to guard against current tactics. While the attack surface in cloud environments grows ever more complex, the shift away from exploiting technical vulnerabilities toward probing for human or process errors highlights the evolving landscape of cybersecurity risks. Effective defenses depend on a combination of technical patching, vigilant configuration reviews, and accessing reliable threat intelligence to stay ahead of organized adversaries such as Sandworm and APT44.
