What's Happening?
Amazon's threat intelligence team has identified a shift in tactics by Russian state-sponsored hackers, who are now favoring misconfigurations over exploiting vulnerabilities to gain access to critical
infrastructure systems. The activity is linked to the Russian threat actor known as Sandworm, associated with Russia's GRU military intelligence agency. Over the past five years, these hackers have targeted energy organizations in Western nations and critical infrastructure in North America and Europe. Previously, they exploited vulnerabilities such as those in WatchGuard, Confluence, and Veeam products. However, since 2025, there has been a noticeable decline in vulnerability exploitation, with a focus on misconfigured network edge devices. These devices, often hosted on Amazon Web Services (AWS), have been used for initial access, allowing hackers to harvest credentials and move laterally within victim organizations.
Why It's Important?
The shift in hacking tactics highlights the evolving nature of cyber threats and the importance of securing network configurations. By targeting misconfigurations, hackers can achieve their objectives with reduced exposure and resource expenditure. This poses a significant risk to critical infrastructure, which is vital for national security and economic stability. Organizations relying on cloud-hosted infrastructure must prioritize secure configurations to prevent unauthorized access. The ongoing threat underscores the need for robust cybersecurity measures and vigilance in protecting sensitive systems from state-sponsored cyber activities.
What's Next?
Amazon has taken steps to disrupt the hacking campaign and has notified affected victims. The company continues to be active in the threat intelligence space, detailing various cyber threats and working to mitigate risks. Organizations are expected to enhance their cybersecurity protocols, focusing on securing network configurations and monitoring for potential breaches. The U.S. government and private sector may increase collaboration to address these threats and protect critical infrastructure from future attacks.
