Amazon Unveils Prolonged GRU Cyber Espionage Targeting Energy and Cloud Sectors
Amazon’s threat intelligence division has unveiled a protracted cyber espionage campaign orchestrated by Russia’s Main Intelligence Directorate (GRU), spanning from 2021 to 2025. This operation primarily targeted critical infrastructure sectors, notably energy organizations across Western nations, as well as entities utilizing cloud-based network infrastructures in North America and Europe.
The GRU’s activities have been closely associated with the advanced persistent threat group APT44, also known by aliases such as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear. This attribution is based on significant overlaps in operational infrastructure and tactics.
Evolution of Attack Vectors:
Over the five-year period, the GRU’s methods evolved notably:
– 2021-2022: Exploited vulnerabilities in WatchGuard Firebox and XTM devices (CVE-2022-26318) and targeted misconfigured edge network devices.
– 2022-2023: Focused on flaws in Atlassian Confluence (CVE-2021-26084 and CVE-2023-22518) while continuing to exploit misconfigured edge devices.
– 2024: Targeted vulnerabilities in Veeam software (CVE-2023-27532) alongside ongoing attacks on misconfigured edge devices.
– 2025: Maintained a consistent focus on misconfigured edge network devices.
This strategic shift from exploiting zero-day vulnerabilities to leveraging misconfigured devices indicates a tactical adaptation aimed at achieving similar operational outcomes—such as credential harvesting and lateral network movement—while minimizing exposure and resource expenditure.
Targeted Infrastructure and Techniques:
The GRU’s campaign specifically targeted:
– Enterprise routers and routing infrastructure
– VPN concentrators and remote access gateways
– Network management appliances
– Collaboration and wiki platforms
– Cloud-based project management systems
By compromising these components, the attackers positioned themselves at the network edge, enabling large-scale credential harvesting through intercepted traffic. Amazon’s telemetry data revealed coordinated attempts to exploit misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure.
Attack Methodology:
The GRU’s attack sequence typically involved:
1. Compromising Customer Network Edge Devices: Gaining initial access through misconfigured devices hosted on AWS.
2. Utilizing Packet Capture Capabilities: Employing native packet capture tools to monitor and intercept network traffic.
3. Credential Harvesting: Extracting sensitive credentials from the intercepted data.
4. Credential Replay Attacks: Attempting to use the harvested credentials to access victim organizations’ online services and infrastructure.
5. Establishing Persistent Access: Securing ongoing access to facilitate lateral movement within the targeted networks.
These credential replay operations predominantly targeted sectors such as energy, technology, cloud services, and telecommunications across North America, Europe, and the Middle East. The sustained focus on the energy sector supply chain underscores the strategic intent to infiltrate both direct operators and third-party service providers with access to critical infrastructure networks.
Infrastructure Overlaps and Operational Insights:
Notably, the GRU’s intrusion activities share infrastructure overlaps with another cluster identified by Bitdefender as Curly COMrades, active since late 2023. This suggests a potential operational division within the GRU, where one cluster focuses on network access and initial compromise, while another handles host-based persistence and evasion. Such specialization aligns with known GRU operational patterns aimed at supporting broader campaign objectives.
Mitigation Recommendations:
In response to these findings, Amazon has taken proactive measures, including notifying affected customers and disrupting active threat actor operations targeting its cloud services. Organizations are advised to:
– Audit Network Edge Devices: Regularly inspect for unexpected packet capture utilities and other anomalies.
– Implement Strong Authentication: Enforce robust authentication mechanisms to safeguard access points.
– Monitor Authentication Attempts: Keep a vigilant eye on authentication activities, especially from unexpected geographic locations.
– Detect Credential Replay Attacks: Establish monitoring systems to identify and respond to credential replay attempts promptly.
By adopting these measures, organizations can enhance their resilience against sophisticated state-sponsored cyber threats and protect their critical infrastructure from potential compromises.
