Amazon Uncovers Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure

Amazon has revealed details of a long-running cyber espionage campaign linked to Russia’s military intelligence agency, the GRU. According to Amazon’s threat intelligence team, the campaign remained active for several years, roughly from 2021 to 2025. It mainly targeted energy companies, critical infrastructure operators, and cloud-based network systems across Western countries.

The activity has been connected to a GRU-linked hacking group commonly tracked by security researchers under names such as Sandworm or APT44. These groups are known for conducting state-sponsored cyber operations focused on strategic targets. Amazon stated that the patterns, tools, and methods used strongly match previously known GRU cyber activity.

The attackers focused heavily on organizations involved in electricity, energy distribution, telecommunications, and cloud infrastructure. Many of the targeted systems support essential services that governments, businesses, and the public rely on daily. The campaign affected organizations mainly in North America, Europe, and parts of the Middle East.

Amazon’s findings show that the attackers changed their approach over time. Instead of relying mostly on new and complex software vulnerabilities, the group increasingly targeted misconfigured network edge devices. These include routers, VPN gateways, and other internet-facing devices that were not securely set up by organizations.

Misconfigured devices often expose management interfaces to the internet, making them easier targets. Once access was gained, the attackers focused on stealing login credentials and monitoring network activity. These credentials were then used to maintain long-term access and quietly move within networks without raising immediate suspicion.

The report highlights that this strategy helped the attackers stay hidden for extended periods. By avoiding loud or destructive techniques, they reduced the chances of being detected early. This allowed them to maintain persistent access and collect valuable intelligence over multiple years.

Amazon stated that it detected and disrupted many of these activities through its internal monitoring and threat intelligence capabilities. While specific victim organizations were not publicly named, Amazon shared relevant findings with partners and vendors. The goal was to help strengthen defenses across the wider technology ecosystem.

Security experts say the report is a strong warning for organizations managing critical systems. Securing network devices, fixing misconfigurations, and monitoring credential use are now more important than ever. The campaign shows that modern cyber threats rely more on patience and stealth than on flashy attacks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news