top of page
perceptive_background_267k.jpg

Amazon disrupts Russian GRU hackers attacking edge network devices

Published:

16 December 2025 at 20:13:09

Alert date:

16 December 2025 at 21:00:58

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Cloud & Virtualization, Network Infrastructure, Critical Infrastructure, Data Breach & Exfiltration

Amazon's Threat Intelligence team disrupted active operations by Russian GRU hackers who were targeting customers' cloud infrastructure and edge network devices. The threat actors, working for Russia's foreign military intelligence agency, were conducting attacks against network edge devices to compromise cloud-based systems. Amazon took action to disrupt these ongoing operations to protect their customers' infrastructure from the state-sponsored threat group.

Technical details

Russian GRU hackers conducted a years-long campaign starting in 2021 targeting Western critical infrastructure, especially the energy sector. Initially exploited vulnerabilities in WatchGuard, Confluence, and Veeam, but evolved to focus on misconfigured customer network edge devices including enterprise routers, VPN gateways, network management appliances, collaboration platforms, and cloud-based project management solutions. Used passive packet capturing and traffic interception for credential theft. Targeted customer-managed network appliances hosted on AWS EC2 instances. Campaign involved post-compromise lateral movement and credential harvesting.

Mitigation steps:

Audit network devices
Watch for credential replay activity
Monitor access to administrative portals
Isolate management interfaces in AWS environments
Restrict security groups
Enable CloudTrail
Enable GuardDuty
Enable VPC Flow Logs
Conduct contextual investigation before blocking IP addresses

Affected products:

WatchGuard
Confluence
Veeam
AWS EC2 instances
Enterprise routers
VPN gateways
Network management appliances
Collaboration platforms
Cloud-based project management solutions

Related links:

https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/
https://www.bleepingcomputer.com/news/security/curly-comrades-cyberspies-hit-govt-orgs-with-custom-malware/
https://www.bleepingcomputer.com/news/security/russian-hackers-abuse-hyper-v-to-hide-malware-in-linux-vms/

Related CVE's:

Related threat actors:

IOC's:

Offending IP addresses (mentioned as shared in Amazon's report but warned they are compromised legitimate servers used as proxies)

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page