Full Report
Amazon's threat intelligence team has disclosed details of a "years-long" Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025. Targets of the campaign included energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure. The activity has
Analysis Summary
# Threat Actor: APT44 (FROZENBARENTS, Sandworm, Seashell Blizzard, Voodoo Bear)
## Attribution & Identity
Russian state-sponsored cyber threat group, affiliated with the GRU.
## Activity Summary
A "years-long" cyber campaign spanning from 2021 to 2025, targeting Western critical infrastructure. The activity demonstrated a tactical adaptation, shifting focus from exploiting N-day/zero-day vulnerabilities to exploiting misconfigured customer network edge devices with exposed management interfaces. The overall objective appears to be establishing a strategic position on the network edge to facilitate credential harvesting at scale for follow-on access. Coordinated attempts were also observed targeting misconfigured edge devices hosted on AWS infrastructure.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of misconfigured customer network edge devices (routers, VPN concentrators, management appliances) with exposed management interfaces.
- **Vulnerability Exploitation (Historical):**
- 2021-2022: Exploitation of WatchGuard Firebox and XTM flaw.
- 2022-2023: Exploitation of Atlassian Confluence flaws (CVE-2021-26084 and CVE-2023-22518).
- 2024: Exploitation of Veeam flaw (CVE-2023-27532).
- **Post-Compromise:**
- Leveraging native packet capture capability on compromised devices.
- Gathering credentials from intercepted traffic.
- Performing credential replay attacks against victim organizations' online services and infrastructure to gain a deeper foothold.
- Establishing persistent connections (consistent with interactive access and data retrieval) via compromised EC2 instances hosting network appliance software.
- Overall goal supports Lateral Movement.
## Targeting
- **Sectors:** Energy sector organizations, critical infrastructure providers, technology/cloud services providers, and telecom service providers.
- **Geography:** North America, Western Europe, Eastern Europe, and the Middle East.
- **Victims:** Entities with cloud-hosted network infrastructure, including direct energy operators and third-party service providers with access to critical infrastructure networks. Specific organizations were not named beyond the sectors.
## Tools & Infrastructure
- **Malware families used:** Not explicitly detailed in the provided context, but activity involved leveraging capabilities resident on compromised devices (e.g., packet capture).
- **Infrastructure (C2, domains, IPs, defanged):** Actor-controlled IP addresses establishing persistent connections to compromised EC2 instances.
## Implications
The actor exhibits sustained focus on the energy sector supply chain. The shift towards targeting misconfigured network edge devices (rather than relying heavily on new zero-days) reduces the actor's exposure and resource expenditure while still achieving critical objectives like credential harvesting, indicating a mature and adaptive operational approach focused on high-value infrastructure access.
## Mitigations
- Securely configure customer network edge devices, ensuring management interfaces are not exposed externally.
- Prioritize patching known vulnerabilities, particularly for network edge devices, VPN concentrators, and remote access gateways.
- Monitor for signs of packet capture activity or data interception on network infrastructure.
- Implement robust credential hygiene and multi-factor authentication to thwart credential replay attacks against online services.
- Scrutinize Cloud (AWS) environments for unusual network connections to compromised EC2 instances hosting customer network appliance software.