Russian Hackers Intensify Attacks on Western Network Edge Devices
Since 2021, a Russian state-sponsored hacking group, linked to the Main Intelligence Directorate (GRU) and the notorious Sandworm group, has been systematically targeting network edge devices within Western critical infrastructure. This campaign has escalated throughout 2025, marking a significant shift in cyberattack strategies.
Strategic Shift in Attack Methods
Traditionally, cyber adversaries have focused on exploiting zero-day vulnerabilities—previously unknown software flaws. However, this Russian group has altered its approach by concentrating on misconfigured network devices with exposed management interfaces. This tactic allows them to achieve persistent access and credential theft while significantly reducing the likelihood of detection.
Targeted Sectors and Devices
The primary targets of these attacks are organizations within the energy sector across North America and Europe, as well as other critical infrastructure providers. The hackers compromise various network devices, including enterprise routers, VPN gateways, and network management devices, many of which are hosted on cloud platforms. By infiltrating these devices, attackers can intercept user credentials transmitted over network traffic, subsequently using them to access victim organizations’ online services and internal systems.
Detection and Analysis
Analysts from Amazon Web Services (AWS) identified this campaign through their threat intelligence telemetry. They observed coordinated attacks against customer network edge devices hosted on AWS. It’s crucial to note that these compromises did not result from AWS security flaws but were due to customer misconfigurations that left management interfaces exposed to the internet.
Network analysis revealed persistent connections from attacker-controlled IP addresses to compromised EC2 instances running network appliance software. This indicates interactive access and ongoing data collection by the attackers.
Evolution of the Campaign
The timeline of this campaign demonstrates a clear evolution in tactics:
– 2021-2022: Exploitation of WatchGuard devices using CVE-2022-26318.
– 2022-2023: Targeting of Confluence platforms through CVE-2021-26084 and CVE-2023-22518.
– 2024: Exploitation of Veeam via CVE-2023-27532.
– 2025: Sustained focus on misconfigured devices, with a reduced emphasis on exploiting specific vulnerabilities.
This progression indicates a strategic shift toward exploiting easier targets, such as misconfigured devices, rather than investing resources in discovering and exploiting new vulnerabilities.
Credential Harvesting and Replay Operations
Once access to a network edge device is gained, the attackers utilize packet capture capabilities to harvest credentials from authentication traffic passing through the device. The time gap between device compromise and credential replay attempts suggests a passive collection strategy rather than active theft.
The hackers capture not only device passwords but also credentials of users authenticating to various services through the compromised infrastructure. After collecting these credentials, they systematically replay them against victim organizations’ online services, including collaboration platforms, source code repositories, and cloud management consoles.
AWS researchers have repeatedly observed this pattern: device compromise, followed by authentication attempts using stolen credentials against the victim’s cloud services and enterprise applications. The attackers have established connections to authentication endpoints across multiple sectors, including electric utilities, energy providers, managed security providers, and telecommunications companies spanning North America, Europe, and the Middle East.
Technical Methodology
The exploitation of WatchGuard devices provides insight into the attackers’ technical approach. The captured exploit payload reveals that they encrypted stolen configuration files using the Fernet encryption library, exfiltrated them via TFTP to compromised staging servers, and removed evidence by deleting temporary files. This methodology demonstrates careful attention to operational security and anti-forensics measures.
Implications and Recommendations
The shift toward targeting misconfigured network edge devices underscores the importance of robust configuration management and regular security audits. Organizations are advised to:
– Regularly Review and Update Configurations: Ensure that all network devices have secure configurations and that management interfaces are not exposed to the internet.
– Implement Strong Access Controls: Use multi-factor authentication and least privilege principles to limit access to critical systems.
– Monitor Network Traffic: Deploy intrusion detection systems to identify unusual patterns that may indicate a compromise.
– Stay Informed on Threat Intelligence: Keep abreast of the latest threat intelligence to understand emerging tactics and techniques used by adversaries.
By adopting these measures, organizations can enhance their resilience against such sophisticated cyber threats.
