The campaign, attributed with high confidence to the GRU-affiliated group APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, has been active against Western critical infrastructure, including energy sector organizations across Western nations and critical infrastructure providers in North America and Europe, since 2021. The activity is notable for its tactical shift over the years, moving away from N-day and zero-day vulnerability exploitation towards using misconfigured customer network edge devices with exposed management interfaces as the primary initial access vector. This adaptation allows the actor to achieve the same operational outcomes, such as credential harvesting and lateral movement, while reducing their exposure and resource expenditure. The targeted devices included enterprise routers, VPN concentrators, network management appliances, and collaboration platforms.

Over the five-year period, the threat actor leveraged a mix of specific vulnerabilities and the sustained targeting of misconfigured edge devices. In 2021 and 2022, this included the exploitation of a WatchGuard Firebox and XTM flaw, as well as the targeting of misconfigured edge devices. This pattern continued in 2022 and 2023 with the exploitation of Atlassian Confluence flaws alongside the sustained targeting of misconfigured devices. By 2024, the actor exploited a Veeam flaw while maintaining focus on misconfigured edge devices, and in 2025, the activity has primarily been characterized by the sustained targeting of these misconfigured network appliances. The overarching goal of these attacks appears to be credential harvesting at scale, achieved by strategically positioning themselves on the network edge to intercept sensitive information in transit.

Telemetry data revealed coordinated attempts aimed at misconfigured customer network edge devices hosted on Amazon Web Services infrastructure, with actor-controlled IP addresses establishing persistent connections to compromised EC2 instances running customers’ network appliance software. These persistent connections were consistent with interactive access and data retrieval. The entire attack sequence involves compromising the customer network edge device, leveraging its native packet capture capability to gather credentials from intercepted traffic, and then replaying those credentials against the victim organization’s online services and infrastructure to establish persistent access for lateral movement.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

Credential replay operations have been specifically targeted at energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East, demonstrating a sustained focus on the energy sector supply chain. This targeting includes both direct operators and third-party service providers with access to critical infrastructure networks. Furthermore, the intrusion activity shares infrastructure overlaps with another cluster tracked as Curly COMrades, which is also believed to operate with Russian interests, suggesting that the two may represent specialized subclusters within a broader GRU campaign, with one focusing on network access and the other on host-based persistence.

Amazon has identified and notified affected customers while also disrupting active threat actor operations targeting its cloud services. To mitigate risk, organizations are strongly recommended to audit all network edge devices for unexpected packet capture utilities, implement strong authentication methods, actively monitor for authentication attempts from unexpected geographic locations, and closely watch for credential replay attacks against their online services.

Source: Amazon Exposes GRU Campaign Targeting Energy And Cloud Infrastructure