Amazon says Russia’s GRU is running “coordinated operations against customer network edge devices hosted on AWS” – and targeting critical national infrastructure (CNI) in the attacks, including the energy sector. 

The threat group, tracked as Sandworm/APT44/Seashell Blizzard, has secured “persistent connections to compromised EC2 instances” running appliance software, said CISO of Amazon Integrated Security CJ Moses.

Writing in a December 15 report, Moses was quick to point out that this exploitation is largely due to customer misconfiguration, and not the result of any AWS vulnerability – he did not name the network edge devices.

The campaign comes amid what he said is a “clear evolution in tactics” by the APT in recent years, with a decline in zero day exploitation and instead, “sustained targeting of misconfigured customer network edge device[s].”

Amazon offered a smattering of IOCs and a payload captured from 2022 in an otherwise detail-thin report – which did however come with some useful best practice hardening advice, captured in The Stack’s dropdown below.

Harden your AWS edge

Moses called on customers to run...

1. Network edge device audit

  • Audit all network edge devices for unexpected packet capture files or utilities.
  • Review device configurations for exposed management interfaces.
  • Implement network segmentation to isolate management interfaces.
  • Enforce strong authentication (eliminate default credentials, implement MFA).

2. Credential replay detection

  • Review authentication logs for credential reuse between network device management interfaces and online services.
  • Monitor for authentication attempts from unexpected geographic locations.
  • Implement anomaly detection for authentication patterns across your organization’s online services.
  • Review extended time windows following any suspected device compromise for delayed credential replay attempts.

3. Access monitoring

  • Monitor for interactive sessions to router/appliance administration portals from unexpected source IPs.
  • Examine whether network device management interfaces are inadvertently exposed to the internet.
  • Audit for plain text protocol usage (Telnet, HTTP, unencrypted SNMP) that could expose credentials.

Commenting on the report, Rob Demain, CEO of e2e-assure, emphasised that “perimeter devices are…  strategic access points for nation-state attackers. Once compromised, they can harvest credentials in transit, provide administrative-level access, and allow attackers to appear as legitimate internal users, bypassing many downstream security controls entirely. At that point, the attacker isn’t breaking through defences, they are operating from inside them. This is the predictable outcome of how these technologies have evolved and how they’ve been defended,” he added.

“These platforms often still contain legacy protocols and unsafe assumptions, brittle memory handling, insecure management planes, and architectural decisions made long before sustained nation-state pressure was a design consideration,” Demain added in an emailed comment.

"Treat perimeter equipment as high-risk compute platforms, not passive appliances; instrument detailed authentication and configuration-change logging; stream logs off the device into systems you trust; correlate changes against approved activity and change control; and detect behavioural anomalies on the management plane, not just traffic anomalies on the data plane. This approach reflects the reality of today’s threat landscape.”

Pre-registration is now open. Just 100 seats available. Tickets are $1250.
The link has been copied!