Full Report
'Sustained focus on Western critical infrastructure' Russia's Main Intelligence Directorate (GRU) is behind a years-long campaign targeting energy, telecommunications, and tech providers, stealing credentials and compromising misconfigured devices hosted on AWS to give the Kremlin's snoops persistent access to sensitive networks, according to Amazon's security boss.…
Analysis Summary
# Threat Actor: Russian Main Intelligence Directorate (GRU) Operations
## Attribution & Identity
**Attribution:** Russia's Main Intelligence Directorate (GRU).
**Known Aliases and Associated Groups:** Potential overlap with actors tracked by Bitdefender, and the ongoing activity may be part of a broader GRU campaign that includes earlier activity tracked under **Curly COMrades** (involving Hyper-V abuse and implants like CurlyShell and CurlCat).
## Activity Summary
This is a years-long campaign (spanning 2021 through the present day, 2025/2026) demonstrating a sustained focus on Western critical infrastructure. The overarching objective is to gain persistent access to sensitive networks for intelligence gathering. Activities include credential theft, exploitation of vulnerabilities, and extensive probing of misconfigured devices hosting network appliance software on AWS. Amazon notes a concerning evolution from exploiting *n*-day and zero-day vulnerabilities to focusing on misconfigurations, which reduces the risk of detection.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting misconfigured devices (especially network edge devices hosted on AWS), exploiting vendor vulnerabilities (e.g., CVE-2022-26318 in WatchGuard Firebox/XTM appliances, critical Confluence vulnerabilities, and a Veeam vulnerability).
- **Credential Harvesting:** Employing packet capture and traffic analysis as the primary method for collecting credentials, followed by systematic credential-replay attacks against online services.
- **Persistence:** Establishing persistent connections to compromised EC2 instances running network appliance software.
- **Evasion/Evolution:** Shifting focus from complex vulnerability exploitation to abusing common misconfigurations to reduce the risk of exposure.
- *MITRE ATT&CK IDs not explicitly provided in the text.*
## Targeting
- **Sectors:** Western critical infrastructure, specifically **energy**, **telecommunications**, and **tech providers**. Also targeting energy-sector organizations and their suppliers.
- **Geography:** Western organizations, including **North American and European** critical infrastructure providers.
- **Victims:** Organizations with cloud-hosted network infrastructure, particularly those using AWS for network appliance virtual appliances. Specific victim names were not disclosed.
## Tools & Infrastructure
- **Malware Families Used:** Implants associated with the *Curly COMrades* activity mentioned include **CurlyShell** and **CurlCat**.
- **Infrastructure (C2, domains, IPs):** The activity involved compromising network appliance software running on **EC2 instances** hosted on AWS. No specific C2 domains or IPs were detailed.
## Implications
The activity shows a dedicated, persistent intelligence-gathering focus by the GRU against high-value Western infrastructure targets. The shift towards exploiting misconfigurations rather than high-profile zero-days signifies a calculated move to reduce detection footprint while maintaining long-term espionage access. The potential operational division between initial compromise clusters and persistence/evasion clusters is noted as typical of GRU operations.
## Mitigations
- Prioritize securing network edge devices (enterprise routers, VPN concentrators, remote access gateways, network management appliances).
- Monitor for credential replay attacks.
- Conduct a comprehensive network edge device audit.
- Review all authentication logs for credential reuse between network device management interfaces and online services.
- Monitor for interactive sessions to appliance administration portals originating from unexpected source IPs.