Russia’s Main Intelligence Directorate (GRU) is behind a years-long campaign targeting energy, telecommunications, and tech providers, stealing credentials and compromising misconfigured devices hosted on AWS to give the Kremlin’s snoops persistent access to sensitive networks, according to Amazon’s security boss.

“The campaign demonstrates sustained focus on Western critical infrastructure, particularly the energy sector, with operations spanning 2021 through the present day,” CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, said in a Monday threat report. “Going into 2026, organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat.”

Moses named enterprise routers, VPN concentrators, remote access gateways, and network management appliances as devices that deserve attention.

He said Russians are also trying to access corporate systems by targeting organizations’ collaboration and wiki platforms, plus cloud-based project management tools.

AWS declined to answer The Register’s questions about the number of victims in the GRU attacks.

According to Moses’ blog, the Russian attackers’ primary targets include Western energy-sector organizations and their suppliers, other North American and European critical infrastructure providers, and organizations with cloud-hosted network infrastructure.

From 0-days to device misconfigs

Amazon Threat Intelligence traced the global infrastructure cyber intrusions back to 2021, with the goons initially targeting misconfigured devices and exploiting CVE-2022-26318, a critical security hole in WatchGuard Firebox and XTM appliances that allowed unauthenticated users to execute arbitrary code via exposed management access.

The attackers moved on to exploiting two critical Confluence vulnerabilities, CVE-2021-26084 and CVE-2023-22518 between 2022 and 2023 before abusing a Veeam vulnerability (CVE-2023-27532) that was also exploited by ransomware criminals in 2024.

Since at least 2022, and continuing to this day, the GRU has been battering misconfigured network edge devices, according to Moses, who also noted a decline in N-day and zero-day vulnerability exploitation this year.

This represents a “concerning evolution,” because poking holes in misconfigurations – rather than abusing high-profile security flaws – “significantly” reduces the attackers’ “risk of exposing their operations through more detectable vulnerability exploitation activity,” he added.

Upon breaking into victims’ networks, the miscreants established persistent connections to compromised EC2 instances operating organizations’ network appliance software.

‘Continually disrupting’ operations

Many of the misconfigured network edge devices are hosted as virtual appliances on AWS, and according to a company spokesperson, the cloud giant has been “continually disrupting” the attackers’ operations “as we identify activity.” This includes notifying affected customers, remediating compromised EC2 instances, and sharing intelligence with industry partners, affected vendors, and law enforcement.

In addition to attacking organizations’ network infrastructure, Amazon observed systematic credential-replay attacks in which intruders attempted to use victims’ credentials to access their online services. In the specific cases where the Kremlin’s attackers tried to authenticate to AWS services, they didn’t find success, according to the cloud giant.

Amazon did not directly observe the Russians stealing credentials, and therefore can’t say the exact mechanism by which the spies are harvesting users’ log-in info. Moses said “multiple indicators,” including the time gap between device compromise and authentication attempts, plus the use of victims’ (not device) credentials, suggest that the cyber operatives used packet capture and traffic analysis as the primary collection method.

There is some overlap between the attackers’ infrastructure used in this campaign and a group security shop Bitdefender tracks as Curly COMrades. In light of this, Amazon assesses that the ongoing activity it’s tracking, plus the earlier Curly COMrades security incidents – Hyper-V abuse for endpoint-security evasion and the use of custom implants including CurlyShell and CurlCat – may be part of a broader GRU campaign.

“This potential operational division, where one cluster focuses on network access and initial compromise while another handles host-based persistence and evasion, aligns with GRU operational patterns of specialized subclusters supporting broader campaign objectives,” Moses wrote.

Given the threat landscape, Amazon suggests organizations should take several “immediate priority actions.” That to-do list includes conducting a network edge device audit, reviewing all authentication logs for credential reuse between network device management interfaces and online services, and monitoring for interactive sessions to appliance administration portals from unexpected source IPs.

Amazon’s security alert follows guidance issued last week from several US government agencies, along with more than 20 international partners, that outlined actions operational technology (OT) owners and operators should undertake to secure their critical networks against attacks by pro-Russian hacktivist groups linked to the GRU.

Neither CISA nor the FBI immediately responded to The Register‘s inquiries about the Amazon-documented GRU campaign. ®