Sandworm Shifts Tactics: How Misconfigured AWS Edge Devices Enabled State Espionage in 2025
Executive Summary
In early 2025, Amazon Threat Intelligence disclosed a sustained campaign by Russia's GRU-linked Sandworm (APT44) targeting Western critical infrastructure, with a focus on the energy sector. The threat actors shifted tactics from exploiting software vulnerabilities to exploiting misconfigured network edge devices hosted on AWS as their primary entry vector. Once inside, attackers intercepted sensitive network traffic to steal credentials and leveraged these to expand and maintain access across enterprise and critical infrastructure environments, including electric utilities, energy providers, and managed security providers. Remediation included notification of affected customers, removal of compromised AWS EC2 instances, and intelligence sharing with partners.
This incident marks a concerning evolution in nation-state attack tradecraft: adversaries are prioritizing misconfigurations over traditional exploits, highlighting the need for organizations to reassess cloud and hybrid network security. The prevalence of cloud-hosted infrastructure increases urgency around identity and segmentation defenses.
Why This Matters Now
Attackers are increasingly leveraging customer misconfiguration, rather than exploiting software vulnerabilities, as a low-cost and effective initial access method into cloud and hybrid environments. This shift underscores the urgent need for robust security hygiene and vigilant configuration management, especially as more organizations migrate mission-critical operations to the cloud.
Attack Path Analysis
The attack began when Sandworm exploited misconfigured network edge devices hosted on AWS to gain an initial foothold into targeted organizations. After access, the threat group moved to escalate privileges by capturing credentials and reusing them to progress deeper within victim environments. Using obtained credentials, attackers pivoted laterally across cloud workloads and services, leveraging weak internal segmentation. They established command and control channels over compromised virtual network infrastructure, enabling continuous access and remote management. Sensitive data and credentials were exfiltrated, often by capturing unencrypted network traffic or covertly sending information outbound. The operation's ultimate impact ranged from persistent access and espionage to potential disruption of critical infrastructure operations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited misconfigured customer network edge devices (such as enterprise routers and VPN gateways) hosted in AWS to gain unauthorized remote access.
Related CVEs
CVE-2023-22518
CVSS 10An improper authorization vulnerability in Confluence Data Center and Server allows unauthenticated attackers to reset Confluence and create an administrator account, leading to full loss of confidentiality, integrity, and availability.
Affected Products:
Atlassian Confluence Data Center – All versions prior to 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1
Atlassian Confluence Server – All versions prior to 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1
Exploit Status:
exploited in the wildCVE-2022-26318
CVSS 9.8A vulnerability in WatchGuard Firebox and XTM appliances allows remote attackers to execute arbitrary code via a crafted request.
Affected Products:
WatchGuard Firebox and XTM Appliances – All versions prior to 12.7.2
Exploit Status:
exploited in the wildCVE-2021-26084
CVSS 9.8An OGNL injection vulnerability in Atlassian Confluence Server and Data Center allows remote code execution by unauthenticated attackers.
Affected Products:
Atlassian Confluence Server – All versions prior to 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0
Atlassian Confluence Data Center – All versions prior to 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0
Exploit Status:
exploited in the wildCVE-2023-27532
CVSS 9.8An authentication bypass vulnerability in Veeam Backup & Replication allows unauthenticated users to access backup infrastructure hosts.
Affected Products:
Veeam Backup & Replication – All versions prior to 11a (build 11.0.1.1261), 12 (build 12.0.0.1420)
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
External Remote Services
Network Service Discovery
OS Credential Dumping
Modify Authentication Process
Valid Accounts
System Network Connections Discovery
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Configuration Management
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21(2)
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10
CISA Zero Trust Maturity Model 2.0 – User and Device Access Controls
Control ID: Identity Pillar – Access Management
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Primary target of Russia's Sandworm APT44 campaign exploiting misconfigured AWS network edge devices, requiring enhanced encrypted traffic protection and zero trust segmentation.
Utilities
Electric utilities face critical infrastructure threats from GRU-sponsored attacks targeting collaboration platforms and cloud infrastructure with advanced persistent access methods.
Telecommunications
Telecom providers across multiple regions targeted through compromised VPN gateways and routing infrastructure, necessitating multicloud visibility and egress security controls.
Computer/Network Security
Managed security service providers specializing in energy sector face state-sponsored espionage targeting source code repositories and network management appliances via CVE exploitation.
Sources
- Amazon warns that Russia’s Sandworm has shifted its tacticshttps://cyberscoop.com/amazon-threat-intel-russia-attacks-energy-sector-sandworm-apt44/Verified
- CVE-2023-22518 - Improper Authorization Vulnerability in Confluence Data Center and Serverhttps://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-confluence-server-1311473907.htmlVerified
- CVE-2022-26318 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2022-26318Verified
- Amazon: Russian Hackers Now Favor Misconfigurations in Critical Infrastructure Attackshttps://www.securityweek.com/amazon-russian-hackers-now-favor-misconfigurations-in-critical-infrastructure-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, encrypted traffic controls, egress policy enforcement, and comprehensive east-west visibility would have contained and detected attacker movement early, disrupting critical stages of the kill chain. CNSF-aligned controls tailored for cloud workloads and edge devices directly mitigate risks from misconfiguration, credential intercept, lateral movement, and covert exfiltration.
Control: Zero Trust Segmentation
Mitigation: Unmanaged or misconfigured assets would be isolated and prevented from exposure.
Control: Encrypted Traffic (HPE)
Mitigation: Credentials transmitted over the network remain protected from interception.
Control: East-West Traffic Security
Mitigation: Internal movement between workloads and services is tightly controlled.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Malicious remote access and covert channels are detected and blocked in real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound transfers to unapproved destinations are blocked or flagged.
Anomalous behaviors are rapidly detected for swift response before operational impact.
Impact at a Glance
Affected Business Functions
- Energy Production
- Energy Distribution
- Cloud Infrastructure Management
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive operational data, including system configurations and access credentials, leading to unauthorized access and control over critical infrastructure systems.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation to reduce attack surface and contain lateral movement from compromised edge devices.
- • Mandate end-to-end encryption (IPsec/MACsec) for all sensitive internal and external network traffic to prevent credential interception.
- • Apply strict egress controls and FQDN filtering to block unauthorized data transfers or outbound C2 communication.
- • Deploy continuous east-west visibility, microsegmentation, and anomaly detection to quickly identify and stop lateral attacker movement.
- • Regularly audit and govern configuration of all network edge and cloud-native assets, addressing misconfigurations before attackers can exploit them.
