Cybersecurity

Amazon Exposes Years-long Gru Cyber Campaign Targeting Energy And...

2025-12-16 0 views admin
Amazon Exposes Years-long Gru Cyber Campaign Targeting Energy And...

Amazon's threat intelligence team has disclosed details of a "years-long" Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025.

Targets of the campaign included energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure. The activity has been attributed with high confidence to the GRU-affiliated APT44, which is also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear.

The activity is notable for using as initial access vectors misconfigured customer network edge devices with exposed management interfaces, as N-day and zero-day vulnerability exploitation activity declined over the time period – indicative of a shift in attacks aimed at critical infrastructure, the tech giant said.

"This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations' online services and infrastructure, while reducing the actor's exposure and resource expenditure," CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, said.

The attacks have been found to leverage the following vulnerabilities and tactics over the course of five years -

The intrusion activity, per Amazon, singled out enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.

These efforts are likely designed to facilitate credential harvesting at scale, given the threat actor's ability to position themselves strategically on the network edge to intercept sensitive information in transit. Telemetry data has also uncovered what has been described as coordinated attempts aimed at misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure.

"Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers' network appliance software," Moses said. "Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances."

In addition, Amazon said it observed credential replay attacks against victim organizations' online services as part of attempts to obtain a deeper foothold into targeted networks. Although these attempts are as

Source: The Hacker News

🏷️ Tags

securityvulnerabilityattackthreatexploit

More from Cybersecurity

Cellik Android Malware Builds Malicious Versions From Google Play Apps

Cellik Android Malware Builds Malicious Versions From Google Play Apps

2025-12-16 0
Ghostposter Attacks Hide Malicious Javascript In Firefox Addon Logos

Ghostposter Attacks Hide Malicious Javascript In Firefox Addon Logos

2025-12-16 0
Venezuelan Oil Company Downplays Alleged Us Cyberattack 2025

Venezuelan Oil Company Downplays Alleged Us Cyberattack 2025

2025-12-16 0
Amazon Disrupts Russian Gru Hackers Attacking Edge Network Devices

Amazon Disrupts Russian Gru Hackers Attacking Edge Network Devices

2025-12-16 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views