How did attackers gain initial access to critical networks?

Attackers exploited misconfigured edge network devices with exposed management interfaces, rather than primarily relying on exploiting software vulnerabilities.

Could improved monitoring have prevented credential harvesting?

Continuous monitoring for unexpected packet capture, anomalous remote access activity, and credential replay attempts could have enabled faster detection and response.

Amazon Reveals Years-Long GRU Cyber Espionage on Critical Cloud & Energy Infrastructure

Q: What compliance controls could have mitigated this GRU campaign?

Enforcing encrypted traffic, robust network segmentation, and centralized cloud visibility—aligned with frameworks like NIST 800-53 and Zero Trust Maturity—could reduce exposure to similar attacks.

A five-year Russian nation-state campaign exploited network edge misconfigurations to target cloud and energy providers, driving a critical shift in cyber defense priorities.

Published: January 10, 2026

Share this on:

Executive Summary

Between 2021 and 2025, Amazon's threat intelligence team uncovered a multi-year cyber campaign attributed to Russia's Main Intelligence Directorate (GRU), specifically associated with APT44/Sandworm. The attackers targeted Western energy sector organizations, critical infrastructure providers, and cloud-hosted network environments by exploiting vulnerabilities and, increasingly, leveraging misconfigured network edge devices. This facilitated credential interception and lateral movement through persistent network access, with efforts focused on credential harvesting and replay against victim organizations. Amazon responded by notifying affected customers and disrupting active operations, limiting further impact.

This incident underscores the sophistication and persistence of nation-state actors in targeting vital infrastructure by adapting TTPs to minimize exposure. The campaign signals an urgent shift towards exploiting cloud and network misconfigurations rather than relying solely on zero-day vulnerabilities—a trend that broadens risk for organizations across sectors.

Why This Matters Now

This incident highlights the pressing need for improved cloud and network edge security, as attackers are increasingly targeting misconfigurations over traditional software flaws. With critical infrastructure at risk and threat actors adapting rapidly, organizations must update security controls and monitoring practices urgently to address this evolving threat landscape.

Attack Path Analysis

The GRU threat actors initially compromised cloud-hosted or on-premise edge network devices with exposed management interfaces or known vulnerabilities. After gaining device-level access, they used intercepted network traffic to harvest credentials and tokens, escalating their privileges in cloud or enterprise networks. With stolen credentials, the attackers pivoted laterally to access additional workloads and services, maintaining persistence through interactive sessions and remote management. Command and control was established using persistent outbound connections from compromised network appliances to actor-controlled IPs, blending in with legitimate traffic. Sensitive data, including credentials and potentially operational data, was exfiltrated via these covert outbound channels. The ultimate impact aimed to enable continued espionage, further credential harvesting, and strategic positioning for disruption of critical infrastructure.

Kill Chain Progression

Initial Compromise

Highinferred

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

Medium

Impact

Low

Initial Compromise

Description

Adversaries exploited misconfigured or vulnerable edge devices hosted in the cloud (e.g., exposed management interfaces, Firebox/XTM, Confluence, Veeam), gaining foothold via remote code execution.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2022-26318
CVSS 9.8
An arbitrary code execution vulnerability in WatchGuard Firebox and XTM appliances allows remote attackers to execute arbitrary code.
Affected Products:
WatchGuard Firebox and XTM Appliances – < 12.5.9
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-26318 https://www.watchguard.com/security-advisory/watchguard-firebox-and-xtm-appliances-arbitrary-code-execution-vulnerability
CVE-2021-26084
CVSS 9.8
An OGNL injection vulnerability in Atlassian Confluence Server and Data Center allows remote code execution.
Affected Products:
Atlassian Confluence Server and Data Center – < 6.13.23, 6.14.0 - 7.4.11, 7.5.0 - 7.11.5, 7.12.0 - 7.12.5, 7.13.0 - 7.13.0
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26084 https://confluence.atlassian.com/security/cve-2021-26084-ognl-injection-in-confluence-server-and-data-center-1044784555.html
CVE-2023-22518
CVSS 10
An improper authorization vulnerability in Atlassian Confluence Data Center and Server allows unauthenticated attackers to reset Confluence and create an administrator account.
Affected Products:
Atlassian Confluence Data Center and Server – < 7.19.16, 8.0.0 - 8.3.4, 8.4.0 - 8.4.4, 8.5.0 - 8.5.3, 8.6.0
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-22518 https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-confluence-server-1311473907.html
CVE-2023-27532
CVSS 9.8
An authentication bypass vulnerability in Veeam Backup & Replication allows unauthenticated users to access backup infrastructure hosts.
Affected Products:
Veeam Backup & Replication – < 11.0.1.1261, 12.0.0.1420
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-27532 https://www.veeam.com/kb4424

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Discovery

T1046

Network Service Discovery

Credential Access

T1557.001

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Credential Access

T1110.003

Brute Force: Credential Stuffing

Persistence

T1078

Valid Accounts

Persistence

T1136

Create Account

Lateral Movement

T1021.001

Remote Services: Remote Desktop Protocol

Credential Access

T1040

Network Sniffing

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Strong Authentication for Remote Access

Control ID: 8.3.1

The compromise of network edge devices and lack of strong authentication allowed unauthorized remote access, exposing PCI DSS requirements for secure access controls.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The observed attacks exposed weaknesses in network appliance configuration and monitoring, highlighting failures in maintaining robust cybersecurity policies as required by NYDFS.

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Article 9

The prolonged exposure of cloud and critical energy sector infrastructure without effective detection or response indicates gaps in operational risk management and resilience expected under DORA.

CISA Zero Trust Maturity Model 2.0 – Enforce Strong Authentication and Authorization

Control ID: Identity Pillar – Authentication

Credential harvesting and replay attacks were possible due to insufficient credential protections and lack of adaptive access controls, violating Zero Trust authentication principles.

NIS2 Directive – Technical and Organisational Measures

Control ID: Article 21(2)

The failure to secure network edge devices and detect adversary persistence undermines the core technical and organizational measures required by NIS2 for critical infrastructure operators.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Oil/Energy/Solar/Greentech

Primary GRU target with years-long campaign exploiting network edge devices for credential harvesting, requiring enhanced encrypted traffic and zero trust segmentation capabilities.

Utilities

Critical infrastructure targeted through misconfigured edge devices and VPN concentrators, necessitating multicloud visibility and threat detection for nation-state espionage protection.

Information Technology/IT

Cloud service providers face coordinated attacks on AWS-hosted network appliances, demanding inline IPS and egress security to prevent credential replay operations.

Telecommunications

Telecom providers specifically targeted in credential replay operations across multiple regions, requiring east-west traffic security and secure hybrid connectivity measures.

Sources

Amazon Exposes Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructurehttps://thehackernews.com/2025/12/amazon-exposes-years-long-gru-cyber.html
Verified

Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructurehttps://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/

Verified

CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Serverhttps://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-confluence-server-1311473907.html

Verified

Russian GRU Cyber Actors Targeting Western Logistics Entities and Tech Companieshttps://www.cisa.gov/news-events/alerts/2025/05/21/russian-gru-cyber-actors-targeting-western-logistics-entities-and-tech-companies

Verified

Frequently Asked Questions

Enforcing encrypted traffic, robust network segmentation, and centralized cloud visibility—aligned with frameworks like NIST 800-53 and Zero Trust Maturity—could reduce exposure to similar attacks.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Implementing CNSF zero trust segmentation, east-west traffic controls, encryption-in-transit, and robust egress policy enforcement would have significantly constrained this attack at multiple stages, blocking lateral movement, credential harvesting, and data exfiltration. CNSF’s visibility and inline policy enforcement are critical to detecting early-stage compromise and halting malicious persistence in cloud-hosted edge environments.

Initial Compromise

Control: Cloud Firewall (ACF)

Mitigation: Blocked unauthorized external access to management interfaces.

Privilege Escalation

Control: Encrypted Traffic (HPE)

Mitigation: Prevented credential sniffing and interception.

Lateral Movement

Control: Zero Trust Segmentation

Mitigation: Restricted intra-cloud movement to only explicitly allowed identities and services.

Command & Control

Control: Egress Security & Policy Enforcement

Mitigation: Blocked or alerted on unauthorized outbound C2 connections.

Exfiltration

Control: Inline IPS (Suricata)

Mitigation: Detected and blocked known data exfiltration signatures.

Impact (Mitigations)

Real-time alerting on anomalous behavior enabled rapid incident response.

Impact at a Glance

Affected Business Functions

Energy Production
Cloud Services
Network Management

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $5,000,000

Data Exposure

Potential exposure of sensitive operational data and customer information due to unauthorized access and credential harvesting.

Recommended Actions

• Audit and restrict exposure of all edge device management interfaces and enforce cloud firewall policies.
• Deploy mandatory encrypted-in-transit controls (e.g., MACsec/IPsec) for all sensitive cloud and network traffic.
• Apply granular zero trust segmentation and least-privilege policies for intra-cloud and hybrid network flows.
• Enforce centralized egress filtering and inline IPS to prevent covert C2 and exfiltration attempts.
• Monitor for credential harvesting patterns and anomalous activity with continuous threat detection and rapid response automation.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Amazon Reveals Years-Long GRU Cyber Espionage on Critical Cloud & Energy Infrastructure

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2022-26318

Affected Products:

Exploit Status:

References:

CVE-2021-26084

Affected Products:

Exploit Status:

References:

CVE-2023-22518

Affected Products:

Exploit Status:

References:

CVE-2023-27532

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Network Service Discovery

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Brute Force: Credential Stuffing

Valid Accounts

Create Account

Remote Services: Remote Desktop Protocol

Network Sniffing

Potential Compliance Exposure

PCI DSS 4.0 – Strong Authentication for Remote Access

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

CISA Zero Trust Maturity Model 2.0 – Enforce Strong Authentication and Authorization

NIS2 Directive – Technical and Organisational Measures

Sector Implications

Oil/Energy/Solar/Greentech

Utilities

Information Technology/IT

Telecommunications

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads