**Russian State Hackers Targeted Western Critical Infrastructure for Years, Amazon Reveals**

A shocking revelation has emerged from the world of cybersecurity, as Amazon Threat Intelligence has uncovered a years-long campaign by Russian state-backed hackers targeting Western critical infrastructure. The attacks, which took place between 2021 and 2025, were aimed at exploiting vulnerabilities in various sectors, including energy, technology, cloud, and telecom.

According to the report, the threat actors shifted their tactics over time, evolving from exploiting known vulnerabilities to abusing misconfigured network edge devices. This new approach allowed them to collect credentials and maintain persistent access to compromised systems with lower operational risk.

The researchers linked the campaign to GRU/Sandworm (aka APT44 and Seashell Blizzard) activity, which has been heavily targeting the energy sector. The attacks were not limited to Western critical infrastructure, but also extended to organizations with cloud-hosted networks in North America and Europe.

Amazon's telemetry revealed that the threat actors established persistent connections to compromised EC2 instances operating customers' network appliance software. Analysis of this data showed that the attackers maintained interactive access and data retrieval across multiple affected instances.

The campaign flow involved several stages, including device compromise, packet capture, credential harvesting, replay attacks, and lateral movement. Furthermore, infrastructure overlaps suggested coordination with Bitdefender-tracked "Curly COMrades," indicating complementary GRU subclusters handling network access and host-level persistence.

Amazon is actively investigating and disrupting sophisticated threats by notifying affected customers, remediating compromised EC2 instances, sharing intelligence with partners and vendors, and reducing the attack surface through coordinated response efforts. The company's report concludes that "through coordinated efforts, since our discovery of this activity, we have disrupted active threat actor operations and reduced the attack surface available to this threat activity subcluster."

As the security community continues to grapple with the implications of these findings, Amazon emphasizes its commitment to sharing intelligence and working collectively to defend against state-sponsored threats targeting critical infrastructure. The report serves as a stark reminder of the ongoing threat posed by nation-state actors and the importance of robust cybersecurity measures in protecting critical infrastructure.

**Key Takeaways:**

* Russian state-backed hackers targeted Western critical infrastructure between 2021 and 2025. * Threat actors shifted from exploiting vulnerabilities to abusing misconfigured network edge devices. * GRU/Sandworm activity linked to the campaign, with a strong focus on the energy sector. * Amazon's telemetry reveals coordinated operations against customer network edge devices hosted on AWS. * Persistent connections established between compromised EC2 instances and threat actor-controlled IP addresses. * Infrastructure overlaps suggest coordination with Bitdefender-tracked "Curly COMrades."

**Follow me on Twitter:** @securityaffairs **and Facebook and Mastodon (SecurityAffairs – hacking, Western critical infrastructure)**