Amazon disrupts Russian GRU hackers attacking edge network devices

Published:

16 december 2025 om 20:13:09

Alert date:

16 december 2025 om 21:00:58

Source:

bleepingcomputer.com

Cloud & Virtualization, Network Infrastructure, Critical Infrastructure, Data Breach & Exfiltration

Amazon's Threat Intelligence team disrupted active operations by Russian GRU hackers who were targeting customers' cloud infrastructure and edge network devices. The threat actors, working for Russia's foreign military intelligence agency, were conducting attacks against network edge devices to compromise cloud-based systems. Amazon took action to disrupt these ongoing operations to protect their customers' infrastructure from the state-sponsored threat group.

Technical details

Russian GRU hackers conducted a years-long campaign starting in 2021 targeting Western critical infrastructure, especially the energy sector. Initially exploited vulnerabilities in WatchGuard, Confluence, and Veeam, but evolved to focus on misconfigured customer network edge devices including enterprise routers, VPN gateways, network management appliances, collaboration platforms, and cloud-based project management solutions. Used passive packet capturing and traffic interception for credential theft. Targeted customer-managed network appliances hosted on AWS EC2 instances. Campaign involved post-compromise lateral movement and credential harvesting.

Mitigation steps:

Audit network devices
Watch for credential replay activity
Monitor access to administrative portals
Isolate management interfaces in AWS environments
Restrict security groups
Enable CloudTrail
Enable GuardDuty
Enable VPC Flow Logs
Conduct contextual investigation before blocking IP addresses

Affected products:

WatchGuard
Confluence
Veeam
AWS EC2 instances
Enterprise routers
VPN gateways
Network management appliances
Collaboration platforms
Cloud-based project management solutions