Amazon's threat intelligence team disclosed a prolonged cyber espionage campaign attributed with high confidence to Russia's GRU (APT44/FROZENBARENTS/Sandworm) targeting critical infrastructure from 2021 through 2025. The campaign primarily targeted energy sector organizations, cloud infrastructure providers, and telecom operators across Western nations, North America, Europe, and the Middle East. Initial access was gained predominantly through exploitation of misconfigured customer network edge devices hosted on AWS, including routers, VPN concentrators, and network management appliances. Early phases (2021-2022) involved exploiting known vulnerabilities such as CVE-2022-26318 in WatchGuard Firebox devices, followed by Atlassian Confluence flaws (CVE-2021-26084, CVE-2023-22518) in 2022-2023, and a Veeam vulnerability (CVE-2023-27532) in 2024. Over time, the adversary shifted focus from zero-day exploits to leveraging misconfigurations, enabling stealthier, resource-efficient operations. The attackers used native packet capture capabilities on compromised devices to intercept network traffic and harvest credentials at scale. These credentials were then replayed against victim organizations’ online services to establish persistent access and enable lateral movement. Telemetry indicated persistent connections from actor-controlled IPs to compromised EC2 instances running customer network appliance software, consistent with interactive access and data exfiltration. The campaign also showed infrastructure overlaps with another Russian-aligned cluster, suggesting coordinated subgroups specializing in initial compromise and persistence. Amazon has taken steps to disrupt ongoing operations and notified impacted customers. The campaign underscores the threat posed by supply chain and cloud-hosted network infrastructure compromises in critical sectors.

European organizations, particularly in the energy, telecom, and cloud service sectors, face significant risks from this campaign. Compromise of network edge devices can lead to large-scale credential theft, enabling attackers to infiltrate sensitive systems, disrupt operations, and potentially manipulate critical infrastructure. The targeting of supply chain providers amplifies the risk, as attackers can pivot to multiple downstream victims. Persistent access and lateral movement capabilities increase the likelihood of prolonged espionage or sabotage. The use of cloud-hosted infrastructure (AWS) for initial compromise complicates detection and response, as it blends with legitimate cloud operations. This threat could undermine energy grid stability, telecom network integrity, and cloud service availability, with cascading effects on national security and economic stability in Europe. The campaign’s stealth and multi-year duration highlight the challenge of detecting and mitigating such advanced persistent threats.

European organizations should conduct comprehensive audits of all network edge devices, especially those hosted in cloud environments like AWS, to identify and remediate misconfigurations and unauthorized packet capture utilities. Implement strong multi-factor authentication (MFA) on all management interfaces and online services to reduce credential replay risks. Employ network segmentation to limit lateral movement from compromised edge devices. Continuously monitor authentication logs for anomalies such as logins from unexpected geographic locations or unusual times. Deploy advanced threat detection tools capable of identifying persistent connections from suspicious IP addresses to cloud-hosted network appliances. Regularly patch known vulnerabilities in network devices and collaboration platforms, prioritizing those exploited in this campaign (WatchGuard Firebox, Atlassian Confluence, Veeam). Establish incident response plans tailored to cloud-hosted infrastructure compromises, including rapid isolation of affected instances. Collaborate with cloud service providers to gain visibility into network appliance usage and suspicious activity. Finally, enhance supply chain security by vetting third-party providers with access to critical infrastructure networks.