Amazon Threat Intelligence Identifies Russian Cyber Group Targeting Western Critical Infrastructure

Amazon Web Services (AWS) announced Tuesday it has identified a Russian state-sponsored cyber threat group that has spent years targeting Western critical infrastructure, with a particular focus on the energy sector. The group has demonstrated a significant evolution in its tactics, according to AWS threat intelligence.

Instead of primarily exploiting vulnerabilities, the group now primarily accesses systems through misconfigured customer-facing network edge devices. AWS states this "tactical pivot" allows the group to achieve its objectives, such as harvesting credentials and moving laterally within victim networks, with reduced exposure and resource expenditure.

Based on infrastructure overlaps with known Sandworm operations (also referred to as APT44 and Seashell Blizzard) and consistent targeting patterns, AWS assesses with high confidence that this activity cluster is linked to Russia's Main Intelligence Directorate (GRU). The campaign has maintained a sustained focus on Western critical infrastructure, particularly energy companies, with operations spanning from 2021 to the present.

Technical details from AWS show that between 2021 and 2025, the group targeted global infrastructure. While early tactics involved exploiting vulnerabilities in WatchGuard devices (CVE-2022-26318) and Confluence servers (CVE-2021-26084, CVE-2023-22518), the focus has increasingly shifted to exploiting misconfigured devices. In 2024, attacks also included the exploitation of Veeam vulnerabilities (CVE-2023-27532).

AWS is urging organizations to prioritize securing their network edge devices and to monitor for credential replay attacks to defend against this persistent threat heading into 2026.