![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmP5wc4kQ_fstR7DVyxpp7nwoP36IRuDO6oBSyghPEx9VCjLCy2LPOoIYBHvfUELKpnhUQTWFtfCW8RiceJj5qgDVJpptVCfGNA9eeOi0vvbPCX9FFxF-kcTRnZN49Gqw0x71mloL7e2gN-I0lW0pFIkttwupJhJp5LMWc94ozebd-Yu9k-b8CUpJvFDpY/s790-rw-e365/russian.gif\")
Amazon’s threat intelligence team has revealed details of a Russian state-sponsored campaign targeting Western critical infrastructure from 2021 to 2025.
The campaign targeted energy sector organizations, critical infrastructure providers, and entities with cloud-hosted network infrastructure in North America and Europe, attributed to Russia’s Main Intelligence Directorate (GRU) with high confidence.
The attacks initially targeted misconfigured customer network edge devices with exposed management interfaces, transitioning to attacks on critical infrastructure over time, reducing exposure and resource expenditure.
Credential harvesting and lateral movement into victim organizations’ online services and infrastructure were the main goals of the attacks, according to CJ Moses, Chief Information Security Officer of Amazon Integrated Security.
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCEbd9mWRrryFPHSxlgrqlx8eNmvl3YKDiWpq0yMyiCZ3DSoJzL5UnXYuZHaArR1XkNeSfoS7oGZNmGGEVeHNrz3bRygNgLtNUAu-DrKjrJg0Aqdk3wm6cQm9rp1kJW_wKQYLyRTi-J8OPUEA71yBV3jK64oD4ZCd13arUwJIdi8_DdOfwKlNeFrwyIW1H/s728-e100/ransomware_dragon_d.png\")
The attacks exploited vulnerabilities in WatchGuard Firebox, XTM, Atlassian Confluence, and Veeam over the years, targeting misconfigured edge network devices and various infrastructure components.
The intrusions focused on enterprise routers, VPN concentrators, network management appliances, and cloud-based project management systems, aimed at facilitating credential harvesting at scale.
Telemetry data revealed coordinated attempts on misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure.
Credential replay attacks were observed against victim organizations’ online services to gain a deeper foothold into targeted networks.
- Compromise customer network edge device on AWS
- Utilize native packet capture capability
- Replay intercepted credentials against victim organizations’ online services
- Establish persistent access for lateral movement
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinxj4dTok82ZV2b8A9G6QuBBCN5qdVFKKRch8Uz5axgjD1QbxCk1FA2kFAfZDsAexFUcsl5T87skNCi8B-E_PfGmLAsRrTUmy3H6o9OzVP03WggqWzWo7teatoin2nYWebDhXYcE2u7t_pqMwwPUgMOA-mB7eAOR9U4_YO9UUtiW29pYvN_pLmCOlx5vAU/s728-e100/zz-d.png\")
Credential replay operations targeted energy, technology/cloud services, and telecom providers across different regions, focusing on the energy sector’s supply chain.
There are infrastructure overlaps with another cluster known as Curly COMrades, indicating specialized subclusters within GRU’s broader campaign objectives.
Amazon notified affected customers and disrupted active threat actor operations targeting its cloud services, recommending network security measures to prevent future attacks.
