Key Takeaways
- A Russian state-sponsored campaign, attributed to the Main Intelligence Directorate (GRU), targeted Western critical infrastructure between 2021 and 2025.
- The campaign used misconfigured customer network edge devices with exposed management interfaces as initial access vectors.
- The attacks leveraged various vulnerabilities, including WatchGuard Firebox and XTM flaw, Atlassian Confluence flaws, and Veeam flaw.
- The threat actor’s goal was to harvest credentials at scale and gain lateral movement into victim organizations’ online services and infrastructure.
- Organizations are recommended to audit network edge devices, implement strong authentication, monitor for authentication attempts from unexpected locations, and keep tabs on credential replay attacks.
Introduction to the Russian State-Sponsored Campaign
The Amazon threat intelligence team has disclosed details of a "years-long" Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025. The campaign, attributed to Russia’s Main Intelligence Directorate (GRU), targeted energy sector organizations, critical infrastructure providers, and entities with cloud-hosted network infrastructure in North America and Europe. The activity is notable for using misconfigured customer network edge devices with exposed management interfaces as initial access vectors, rather than relying on N-day and zero-day vulnerability exploitation.
Tactical Adaptation and Attack Vectors
The campaign’s use of misconfigured customer network edge devices as initial access vectors is a tactical adaptation that enables the threat actor to achieve the same operational outcomes, such as credential harvesting and lateral movement, while reducing exposure and resource expenditure. According to CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, this approach allows the threat actor to position themselves strategically on the network edge to intercept sensitive information in transit. The attacks have been found to leverage various vulnerabilities, including WatchGuard Firebox and XTM flaw, Atlassian Confluence flaws, and Veeam flaw, over the course of five years.
Intrusion Activity and Targeting
The intrusion activity, as observed by Amazon, singled out enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems. These efforts are likely designed to facilitate credential harvesting at scale, given the threat actor’s ability to position themselves strategically on the network edge. Telemetry data has also uncovered coordinated attempts aimed at misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure. Network connection analysis has revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.
Credential Replay Attacks and Lateral Movement
In addition to compromising customer network edge devices, the threat actor has also been observed conducting credential replay attacks against victim organizations’ online services. Although these attempts are assessed to be unsuccessful, they lend weight to the hypothesis that the adversary is grabbing credentials from compromised customer network infrastructure for follow-on attacks. The entire attack plays out as follows: compromise the customer network edge device hosted on AWS, leverage native packet capture capability, gather credentials from intercepted traffic, replay credentials against the victim organizations’ online services and infrastructure, and establish persistent access for lateral movement.
Targeting and Infrastructure Overlaps
The credential replay operations have targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. The targeting demonstrates a sustained focus on the energy sector supply chain, including both direct operators and third-party service providers with access to critical infrastructure networks. Interestingly, the intrusion set also shares infrastructure overlaps with another cluster tracked by Bitdefender under the name Curly COMrades, which is believed to be operating with interests that are aligned with Russia since late 2023. This has raised the possibility that the two clusters may represent complementary operations within a broader campaign undertaken by GRU.
Conclusion and Recommendations
Amazon has identified and notified affected customers, as well as disrupted active threat actor operations targeting its cloud services. Organizations are recommended to audit all network edge devices for unexpected packet capture utilities, implement strong authentication, monitor for authentication attempts from unexpected geographic locations, and keep tabs on credential replay attacks. By taking these steps, organizations can help prevent similar attacks and protect their critical infrastructure from Russian state-sponsored campaigns. The disclosure of this campaign highlights the importance of vigilance and proactive measures in preventing and detecting cyber threats, particularly those sponsored by nation-states.