A long-running Russian state-sponsored cyber campaign targeting critical infrastructure organizations across Western countries has shifted from exploiting software vulnerabilities to compromising misconfigured customer network edge devices. According to Amazon Threat Intelligence, the activity has been observed between 2021 and 2025 and has been attributed “with high confidence” to Russia’s Main Intelligence Directorate (GRU).
The unidentified threat actor has historically focused on energy sector organizations, critical infrastructure providers in North America and Europe, and enterprises operating cloud-hosted network infrastructure. Earlier campaigns relied heavily on exploiting known vulnerabilities, including WatchGuard (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084 and CVE-2023-22518), and a Veeam Backup & Replication issue tracked as CVE-2023-27532.
In 2025, the threat actors began targeting misconfigured enterprise network edge devices, some hosted on Amazon Web Services (AWS), to gain initial access. Amazon said that the issues stem from customer-side configuration errors, not flaws in AWS infrastructure. Targeted systems include enterprise routers, VPN concentrators, remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.
Researchers also observed credential harvesting from compromised infrastructure, followed by systematic replay attacks against victim online services.
The GRU attribution is based on infrastructure overlaps with previous operations linked to Sandworm (also known as APT44 or Seashell Blizzard). Additionally, the latest campaign shares infrastructure with a threat cluster tracked by Bitdefender as Curly COMrades, which was abusing Microsoft Hyper-V to evade endpoint detection and response tools and deploying custom implants dubbed CurlyShell and CurlCat.