You are currently viewing AWS Intelligence Report: GRU-Linked Hackers Behind Sustained Infrastructure Attacks

AWS Intelligence Report: GRU-Linked Hackers Behind Sustained Infrastructure Attacks

  • Post author:
  • Reading time:5 mins read

Cybercriminals and nation-state advanced persistent threat (APT) groups are increasingly adopting stealth-driven, persistence-focused operational models that rely less on zero-day exploits and more on abusing misconfigurations, credential replay, and trusted infrastructure. Recent disclosures from Amazon’s threat intelligence team highlight how Russian state-backed actors are refining these techniques to maintain long-term access to critical systems.

At the center of this activity is a years-long cyber espionage campaign attributed to Russia’s Main Intelligence Directorate (GRU), specifically the threat group tracked as APT44 (also known as Sandworm, FROZENBARENTS, Seashell Blizzard, and Voodoo Bear). Active between 2021 and 2025, this campaign targeted Western energy providers, critical infrastructure operators, and cloud-hosted network environments, signaling a sustained strategic effort rather than opportunistic intrusion.

Background on GRU Cyber Operations

APT44 has a long history of disruptive and espionage-driven cyber activity aligned with Russian military and geopolitical objectives. Unlike smash-and-grab ransomware campaigns, GRU operations emphasize:

  • Long-term persistence
  • Credential theft and reuse
  • Living-off-the-land techniques
  • Abuse of trusted infrastructure and network appliances

In this campaign, AWS intelligence observed a notable shift away from frequent zero-day exploitation, with attackers instead focusing on misconfigured or poorly secured network edge devices exposed to the public internet.

Campaign Overview

The GRU-linked campaign demonstrates a methodical effort to compromise organizations that underpin national and regional stability.

Primary Targets

  • Energy sector organizations across Western nations
  • Critical infrastructure providers in North America and Europe
  • Cloud-hosted network environments, including AWS-hosted appliances

Key Characteristics

  • Exploitation of exposed management interfaces on edge devices
  • Credential harvesting via native packet capture capabilities
  • Replay of stolen credentials against cloud services and enterprise environments
  • Focus on reducing detection risk by avoiding noisy exploits

Vulnerabilities Details

VulnerabilityAffected VendorAffected Devices / ProductsCVSS / EPSS Score
CVE-2022-26318WatchGuardFirebox and XTM network security appliancesCVSS: 9.8 (Critical) / EPSS: 92.55%
CVE-2021-26084AtlassianConfluence Server and Data CenterCVSS: 9.8 (Critical) / EPSS: 94.46%
CVE-2023-22518AtlassianConfluence Server and Data CenterCVSS: 9.8 (Critical) / EPSS: 94.41%
CVE-2023-27532VeeamBackup & Replication softwareCVSS: 7.5 (High) / EPSS: 81.68%

Tactics and Techniques

  • TA0001 – Initial Access: Exploiting public-facing applications through misconfigured network edge devices.
  • TA0006 – Credential Access: Harvesting credentials from intercepted traffic.
  • TA0008 – Lateral Movement: Using remote services to move across the network.
  • TA0009 – Collection: Gathering data from local systems.

Indicators of Compromise (IOCs)

  • 91.99.25[.]54
  • 185.66.141[.]145
  • 51.91.101[.]177
  • 212.47.226[.]64
  • 213.152.3[.]110
  • 145.239.195[.]220
  • 103.11.190[.]99
  • 217.153.191[.]190

Infection Method

Initial Access

Attackers scanned for publicly exposed network edge devices hosted in cloud and enterprise environments, particularly those with misconfigured or weakly protected management interfaces.
Rather than relying exclusively on zero-day exploits, the GRU increasingly abused internet-facing routers, firewalls, VPN concentrators, and network management appliances.

In earlier phases of the campaign, known vulnerabilities in commonly deployed infrastructure software were exploited to gain an initial foothold.

Exploitation

The attackers exploited known N-day vulnerabilities and insecure configurations in edge devices and enterprise software, allowing:

  • Unauthorized access to device management interfaces
  • Privilege escalation on network appliances
  • Remote interaction with traffic-handling components

Payload Delivery

Rather than deploying large custom malware payloads, attackers leveraged native capabilities of compromised network devices.
This minimized forensic artifacts and reduced the likelihood of detection.

Key payload-related behaviors included:

  • Enabling built-in packet capture functionality on network appliances
  • Intercepting authentication traffic traversing the device
  • Avoiding traditional malware droppers on disk

Execution & Persistence

Execution focused on credential replay and trusted access paths, rather than persistent malware installation.

Persistence mechanisms included:

  • Continued access to compromised edge devices
  • Reuse of stolen credentials across cloud services and enterprise systems
  • Leveraging legitimate administrative sessions and remote services

This allowed attackers to maintain long-term access without traditional persistence artifacts such as scheduled tasks or registry modifications.

Command-and-Control (C2)

Instead of conventional beaconing malware, command-and-control was largely achieved through:

  • Legitimate management interfaces of network devices
  • Authenticated sessions using replayed credentials
  • Interaction with cloud-hosted services and enterprise infrastructure

Impact

Edge Device Compromise: Exploitation of network edge vulnerabilities enables long-term unauthorized access, allowing attackers to establish persistent footholds inside critical infrastructure environments without triggering traditional endpoint defenses.

Credential Harvesting & Replay: Compromised devices are leveraged to collect authentication material, which is later replayed against cloud and enterprise services to bypass perimeter controls and facilitate lateral movement.

Operational Disruption Potential: Abuse of exposed management interfaces and unpatched enterprise software creates pathways for service degradation or outage, posing direct risk to energy, utilities, and other critical sectors.

Visual Flow

Initial Access (exposed edge devices / known CVEs) -> Exploitation (device misconfiguration or N-day flaws) -> Payload-Free Credential Harvesting (packet capture) -> Credential Replay Against Cloud & Enterprise Services -> Lateral Movement & Long-Term Persistence via Legitimate Access

Mitigation Steps

Audit Edge Devices: Regularly check network edge devices for exposed management interfaces, unexpected packet capture tools, and misconfigurations.

Enforce Strong Authentication: Eliminate default credentials and implement multi-factor authentication (MFA) across all devices and accounts.

Monitor for Credential Replay: Review authentication logs for unusual patterns or repeated credential use from unexpected locations.

Harden Network Access: Disable public management access, replace insecure protocols (Telnet, HTTP, unencrypted SNMP), and implement network segmentation.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.