Amazon: Years-Long GRU Cyber Campaign Aimed at Energy & Cloud Infrastructure -

Post Views: 3

“The GRU Cyber Campaign that has been running for so long is targeting Energy & Cloud Platforms.”

Details of a “years-long” Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025 have been made public by Amazon’s threat intelligence team.

The effort targeted corporations with cloud-hosted network infrastructure, vital infrastructure providers in North America and Europe, and organizations in the energy sector in Western countries.

Due to infrastructure overlaps with APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, the activity has been highly confidently linked to Russia’s Main Intelligence Directorate (GRU).

Amazon

Since N-day and zero-day vulnerability exploitation activity decreased over time, suggesting a change in attacks targeted at critical infrastructure, the activity is noteworthy for leveraging misconfigured customer network edge devices with accessible management interfaces as initial access vectors.

CJ Moses, Chief Information Security Officer (CISO), Amazon Integrated Security

“This tactical change lowers the actor’s exposure and resource costs while enabling the same operational results, credential harvesting, and lateral movement into the web services and infrastructure of victim businesses.”

“Analysis of network connections reveals that compromised EC2 instances running customers’ network appliance software are permanently connected to actor-controlled IP addresses.”

“Persistent connections consistent with interactive access and data retrieval across several impacted instances were found through analysis.”

“Targeting both direct operators and third-party service providers with access to vital infrastructure networks shows a persistent focus on the energy sector supply chain.”

“The GRU operational patterns of specialized subclusters supporting more general campaign objectives are consistent with this possible operational divide, where one cluster concentrates on network access and initial compromise while another manages host-based persistence and evasion.”

Over the course of five years, it has been discovered that the attacks take advantage of the following weaknesses and strategies:

2021-2022: Targeting incorrectly configured edge network devices and taking advantage of the WatchGuard Firebox and XTM vulnerability (CVE-2022-26318).
2022-2023: Exploiting vulnerabilities in Atlassian Confluence (CVE-2021-26084 and CVE-2023-22518) and persistently focusing on incorrectly configured edge network devices.
2024: Exploiting the Veeam vulnerability (CVE-2023-27532) and persistently focusing on incorrectly configured edge network devices.
2025: Persistent targeting of edge network devices with incorrect configurations.

According to Amazon, the intrusion activity targeted cloud-based project management systems, network management appliances, VPN concentrators and remote access gateways, enterprise routers and routing infrastructure, and collaboration and wiki platforms.

Given that the threat actor can strategically position themselves on the network edge to capture sensitive data in transit, these efforts are probably intended to enable credential harvesting at scale.

Additionally, coordinated attempts targeting customer network edge devices hosted on Amazon Web Services (AWS) infrastructure have been revealed via telemetry data.

Futhermore, Amazon reported that it saw credential repeat assaults against the web services of victim businesses in an effort to gain a stronger presence in the targeted networks. The aforementioned theory that the adversary is obtaining credentials from compromised client network infrastructure for subsequent assaults is supported by these attempts, even though they are deemed to be unsuccessful.

The full assault proceeds as follows:

Compromise the AWS-hosted customer network edge device.
Make use of the native packet capture feature.
Collect credentials from traffic that has been intercepted.
Replay credentials against the infrastructure and internet services of the targeted organizations.
Provide long-term access for lateral mobility.

Energy, technology/cloud services, and telecom service providers in North America, Western and Eastern Europe, and the Middle East have been the focus of the credential replay operations.

It’s interesting to note that the incursion set also has infrastructure overlaps (91.99.25[.]54) with another cluster that Bitdefender is monitoring under the moniker Curly COMrades. This cluster is thought to have been working with Russian interests since late 2023.

This has increased the likelihood that the two clusters could be complementary operations inside a larger GRU effort.

In addition to identifying and informing impacted customers, Amazon claimed to have stopped active threat actor operations aimed at its cloud services. The corporation does not, however, provide the number of attacks it has documented as part of the campaign or whether the pace of operations has changed since the initial wave of attacks in 2021.

It is advised that organizations install strong authentication, monitor for authentication attempts from unexpected geographic areas, audit all network edge devices for unexpected packet capture utilities, and keep an eye out for credential replay threats.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Pan-India Cyber Scam “WhatsApp Calls to Fake Arrests,” Trapped Victims