A Russian state-sponsored malicious campaign that has been targeting critical infrastructure organizations in Western countries for years has shifted its tactics from vulnerability exploitation to compromising misconfigured customer network edge devices.
While the threat actor remains unidentified, Amazon has attributed it “with high confidence” to Russia’s Main Intelligence Directorate (GRU), the country’s military intelligence service which several cyber threat groups are believed to be associated with.
The tech giant documented its latest findings about this threat in a December 15 report.
Shift to Misconfigured Edge Device Targeting
Security researchers at Amazon Threat Intelligence observed this unnamed group targeting global infrastructure between 2021 and 2025.
The group’s typical targets have been energy sector organizations across Western nations, critical infrastructure providers in North America and Europe and organizations with cloud-hosted network infrastructure.
Some of its previous campaigns included the exploitation of vulnerabilities in WatchGuard (e.g. CVE-2022-26318) in 2021 and 2022, in Confluence (e.g. CVE-2021-26084, CVE-2023-22518) in 2022 and 2023 and in Veeam (e.g. CVE-2023-27532) in 2024.
However, Amazon noticed that in 2025, the group shifted it tactics away from vulnerability exploits and now favors the targeting of misconfigured customer network edge device – including some hosted on Amazon Web Services (AWS) – to gain initial access to its victims.
The Amazon report highlighted that the device misconfigurations are on the customer side, not on the AWS cloud infrastructure.
Some of the group’s typical targets include:
- Enterprise routers and routing infrastructure
- VPN concentrators and remote access gateways
- Network management appliances
- Collaboration and wiki platforms
- Cloud-based project management systems
“This tactical adaptation enables the same operational outcomes, persistent access to critical infrastructure networks, credential harvesting and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” the Amazon researchers noted.
Other tactics observed with this group by the Amazon researchers include harvesting credentials from compromised infrastructure to launch systematic replay attacks against victim organizations’ online services.
Likely Part of a Bigger Russian GRU Campaign
The attribution to the Russian GRU is based on infrastructure overlaps with previous operations linked to another GRU-linked threat group, known as Sandworm, APT44 or Seashell Blizzard.
The latest campaign targeting misconfigured edge devices also contain infrastructure overlaps with a group Bitdefender tracks as ‘Curly COMrades.’
This operation, documented by the cybersecurity firm on November 4, 2025, showed the Curly COMrades group abusing Hyper-V, Microsoft’s native hypervisor technology, to evade endpoint detection and response (EDR) solutions and deploying two custom implants CurlyShell and CurlCat.
“We assess these may represent complementary operations within a broader GRU campaign, where one cluster focuses on network access and initial compromise while another handles host-based persistence and evasion,” the Amazone researchers wrote.
This operational division “aligns with GRU operational patterns of specialized subclusters supporting broader campaign objectives,” the Amazon report concluded.
