The Amazon Threat Intelligence team said it disrupted active operations attributed to hackers working for the Russian foreign military intelligence service (GRU) that targeted customers’ cloud infrastructure, with activity traced back to 2021 and a focus on Western critical infrastructure, particularly the energy sector.
CJ Moses, the chief information security officer of Amazon Integrated Security, said the years-long campaign initially exploited multiple vulnerabilities in products such as WatchGuard, Confluence and Veeam but that the actor shifted away from zero-day and known-n-day exploitation and increasingly targeted misconfigured edge devices.
Amazon said the attackers focused on exposed management interfaces of enterprise routers, VPN gateways, network management appliances, collaboration platforms and cloud-based project management tools to achieve persistent access and harvest credentials, while keeping operational objectives – credential theft and lateral movement with minimal exposure – unchanged.
The company assessed with high confidence that the observed activity was carried out by hackers working for the Russian GRU and said overlaps in infrastructure linked the campaign to known GRU subgroups; Amazon also stated that one subcluster, referred to as Curly COMRades, may perform post-compromise work as part of a broader campaign.
Amazon reported that it did not directly observe the credential-extraction mechanism but said timing and the abuse of organizational credentials pointed to passive packet capture and traffic interception. Compromised devices were customer-managed appliances hosted on AWS EC2 instances, and Amazon noted the attacks did not exploit flaws in AWS itself.
After discovery, Amazon said it took steps to protect affected EC2 instances, notified impacted customers, shared intelligence with vendors and partners, and disrupted the threat actor’s operations. The company published IP addresses linked to the activity but cautioned that those IPs were legitimate servers that had been compromised and should not be blocked without contextual investigation.
Amazon recommended immediate actions including auditing network devices, watching for credential replay and monitoring access to administrative portals, and advised AWS customers to isolate management interfaces, restrict security groups and enable CloudTrail, GuardDuty and VPC Flow Logs.