Russian state-sponsored hackers are actively exploiting misconfigured network edge devices to steal credentials and gain unauthorized access to online infrastructure and services, Amazon’s threat intelligence team revealed this week.
AWS Security said it observed sustained targeting of Western critical infrastructure over the past four years, with a particular focus on the energy sector in North America and Europe, as well as organizations that rely on cloud-hosted networking infrastructure.
The campaign saw an evolution away from targeting network vulnerabilities toward exploiting network edge device misconfigurations.
Once a misconfigured device was compromised, the hackers captured network traffic to harvest authentication credentials, which were then used to access cloud services and internal infrastructure.
“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure,” Amazon said.
Similar tactics have been observed in other recent nation-state campaigns, which increasingly favor firewalls, VPNs, and remote access gateways as initial access vectors over zero-day exploitation.
Misconfigured network edge devices are “low hanging fruit” for threat actors, AWS Security said, enabling the same outcomes as zero-day exploitation, credential theft, persistence, and lateral movement, while significantly reducing operational risk and resource expenditure.
In addition to energy companies, other successfully targeted industries in 2025 included cloud collaboration platforms, source code repositories, and telecommunications providers.
Timeline Of Attacks
AWS Security said the shift toward exploiting edge device misconfigurations has been ongoing since at least 2022, as attackers reduced their investment in zero-day and N-day exploits in favor of targeting exposed or improperly configured systems.
The campaign typically focused on enterprise routers and routing infrastructure, VPNs and remote access gateways, as well as cloud-based project management and collaboration platforms.
AWS Security linked the attacks to Russia’s military intelligence agency, the GRU, based on the use of infrastructure that had previously been seen in attacks against Ukraine.
Amazon said it actively investigated and disrupted the activity by notifying affected customers, remediating compromised EC2 instances and sharing threat intelligence with partners and affected vendors.
How To Stay Protected
AWS Security has urged organizations to proactively monitor for evidence of this campaign.
Recommended measures include reviewing all network edge devices for unexpected packet capture files, auditing device configurations for insecure settings and enforcing strong identity and access management controls, including multi-factor authentication.
Organizations should also implement network segmentation to isolate management interfaces and limit exposure. Energy sector organizations, in particular, were encouraged to review access logs for indicators of compromise outlined in Amazon’s advisory.
