Amazon exposes Russian cyber saboteurs targeting Western critical infrastructure

Published: 17 December 2025
Last updated: 17 December 2025
amazon-threat-russia
Image by Cybernews.

Amazon’s threat intelligence team has revealed a years-long Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025.

According to Amazon researchers, targets of the campaign included energy sector organizations across Western countries, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure.

The campaign has been attributed – with high confidence – to Russia’s Main Intelligence Directorate (GRU), known for aggressive cyber warfare. Amazon cites operational overlaps with APT44, a Russian threat group also known as Sandworm.

ADVERTISEMENT

To the researchers, the Russian campaign represents a significant evolution in critical infrastructure targeting: a tactical pivot where misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined.

“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” said CJ Moses, chief information security officer of Amazon Integrated Security, in a blog post.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

In the course of five years, the threat actor consistently targeted global infrastructure, with particular focus on the energy sector.

In 2021-2022, they exploited the WatchGuard Firebox and XTM flaw and targeted misconfigured edge network devices. In 2022-2023, Atlassian Confluence flaws were abused, and in 2024, they exploited the Veeam flaw.

As per Amazon, the activity singled out enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.

The tech giant has identified and notified affected customers, as well as disrupted active threat actor operations targeting AWS.

This was done to facilitate credential harvesting at scale. Telemetry data has also allegedly shown “coordinated attempts” aimed at misconfigured customer network edge devices hosted on Amazon Web Services infrastructure.

ADVERTISEMENT

“Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 (core AWS service providing scalable virtual servers in the cloud) instances operating customers’ network appliance software,” said Moses.

Amazon additionally said it observed credential replay attacks against victim organizations’ online services as part of attempts to obtain a deeper foothold into targeted networks. These specific attempts were unsuccessful, though.

The tech giant has identified and notified affected customers, as well as disrupted active threat actor operations targeting AWS. However, Amazon doesn’t actually disclose how many attacks it observed as part of the campaign.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT