Amazon has released new threat intelligence findings detailing a years long cyber campaign linked to a Russian state sponsored actor that targeted Western critical infrastructure between 2021 and 2025. The activity primarily affected energy sector organizations, critical infrastructure providers in North America and Europe, and companies operating cloud hosted network environments.
According to Amazon, the campaign has been attributed with high confidence to the GRU aligned threat group tracked as APT44, also known by names such as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear.
Amazon noted that the attackers increasingly relied on misconfigured customer network edge devices with exposed management interfaces as their primary initial access vector. This approach became more prominent as the exploitation of zero day and n day vulnerabilities declined during the same period.
“This tactical shift allows the threat actor to achieve credential theft and lateral movement while reducing operational risk and resource costs,” said CJ Moses, Chief Information Security Officer of Amazon Integrated Security.
Evolving Tactics Observed Over Five Years
Amazon’s analysis shows that the campaign evolved over time, combining vulnerability exploitation with sustained abuse of poorly secured network edge devices.
During 2021 and 2022, attackers exploited a WatchGuard Firebox and XTM vulnerability tracked as CVE-2022-26318, while also targeting misconfigured edge devices. In 2022 and 2023, the activity expanded to include Atlassian Confluence flaws CVE-2021-26084 and CVE-2023-22518, alongside continued edge device abuse. In 2024, exploitation of a Veeam vulnerability CVE-2023-27532 was observed. By 2025, the campaign focused almost entirely on persistently targeting misconfigured network edge infrastructure.
The targeted technologies included enterprise routers, VPN concentrators, remote access gateways, network management appliances, collaboration platforms, wiki systems, and cloud based project management tools.
Credential Harvesting and Replay Operations
Amazon believes the campaign was designed to harvest credentials at scale by positioning attackers at the network edge, allowing them to intercept sensitive traffic in transit. Telemetry data revealed coordinated attempts against misconfigured customer network devices hosted on Amazon Web Services infrastructure.
“Network analysis identified persistent connections from attacker controlled IP addresses to compromised EC2 instances running customer network appliance software,” Moses explained. These connections showed signs of interactive access and ongoing data collection.
The attackers also attempted credential replay attacks against victim organizations’ online services in an effort to deepen access. While many of these attempts were unsuccessful, Amazon assessed that they support the conclusion that stolen credentials were being reused for follow on intrusion attempts.
The attack chain typically involved compromising a network edge device hosted on AWS, enabling native packet capture, collecting credentials from intercepted traffic, replaying those credentials against cloud services and internal systems, and establishing persistent access for lateral movement.
Credential replay attempts targeted organizations in the energy, cloud and technology, and telecommunications sectors across North America, Europe, and the Middle East.
Links to Other GRU Aligned Activity
Amazon also identified infrastructure overlaps between this intrusion set and another cluster tracked by Bitdefender as Curly COMrades. This overlap suggests the possibility of coordinated or complementary operations supporting broader GRU objectives, with one group focusing on initial network access and another handling persistence and evasion.
In response, Amazon said it notified affected customers and disrupted active operations targeting its cloud services. Organizations are advised to audit network edge devices for unauthorized packet capture tools, enforce strong authentication, monitor login attempts from unusual locations, and actively watch for credential replay activity.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
