A recently disclosed intelligence report has pulled back the curtain on a persistent and sophisticated cyber campaign orchestrated by Russia’s Main Intelligence Directorate (GRU), revealing a multi-year effort to infiltrate the digital backbones of Western nations. Operating from 2021 through 2025, this campaign methodically targeted critical energy sector organizations, major infrastructure providers across North America and Europe, and various entities relying on cloud-hosted networks. The activity, attributed with high confidence to the group also known as APT44 or Sandworm, signifies a strategic pivot in state-sponsored attacks. Instead of relying solely on high-cost, high-risk zero-day exploits, these threat actors increasingly focused on a more subtle and sustainable vector: misconfigured network edge devices. This tactical adaptation has allowed the adversary to achieve its objectives of credential harvesting and lateral movement while minimizing resource expenditure and reducing the risk of exposure, posing a formidable challenge to defenders of critical national infrastructure.
1. A Tactical Evolution in Espionage
The operational playbook of this GRU-linked threat actor has demonstrated a clear and concerning evolution over the past five years, shifting from a dependency on vulnerability exploitation to a more opportunistic approach. While the campaign did leverage N-day and zero-day vulnerabilities, analysis shows a declining trend in this activity over the observed period. In its place, the adversary has intensified its focus on a far more common and often overlooked security gap: customer network edge devices with exposed management interfaces. This strategic shift is significant because it allows the threat actors to achieve the same operational outcomes—gaining an initial foothold, harvesting credentials, and moving deeper into target networks—without the need to develop or acquire expensive and perishable exploit code. By targeting common misconfigurations in enterprise routers, VPN concentrators, and network management appliances, the group has created a scalable and efficient method for initial access that is harder to trace back to a specific vulnerability, thereby extending the longevity and stealth of its operations. This approach highlights a calculated move toward lower-cost, higher-yield intrusions that prey on basic security hygiene failures rather than complex software flaws.
This adaptive strategy is clearly illustrated by the specific tactics employed year over year throughout the campaign. In 2021 and 2022, the group was observed exploiting a known flaw in WatchGuard Firebox and XTM appliances (CVE-2022-26318), but this was consistently paired with the broader targeting of misconfigured edge devices. This pattern continued into 2022 and 2023, where exploits for Atlassian Confluence vulnerabilities (CVE-2021-26084 and CVE-2023-22518) were used in conjunction with the same edge device targeting. By 2024, a Veeam flaw (CVE-2023-27532) became part of their arsenal, yet the primary focus on misconfigured infrastructure remained the constant through-line of the campaign. This sustained effort, culminating in 2025 with an almost exclusive focus on these configuration weaknesses, underscores the adversary’s confidence in this tactic. The targets within this strategy included not just routers and remote access gateways but also collaboration platforms and cloud-based project management systems, demonstrating a comprehensive effort to compromise any entry point that could facilitate large-scale credential harvesting.
2. The Anatomy of a Compromise
Once an initial foothold was established, the threat actor followed a meticulous, multi-stage process designed for deep network infiltration and data exfiltration. The attack sequence typically began with the compromise of a customer-owned network edge device hosted on cloud infrastructure, such as an Amazon EC2 instance running network appliance software. After gaining control, the attackers leveraged the device’s native packet capture capabilities—a legitimate function repurposed for malicious ends—to intercept network traffic. This vantage point on the network edge is strategically valuable, as it allowed the actor to monitor and gather sensitive information, most notably user credentials, as they transited the network. With a trove of harvested credentials, the adversary then initiated the next phase of the attack: replaying these credentials against the victim organization’s other online services and internal infrastructure. The ultimate objective was not a one-time data grab but the establishment of persistent access, which would enable deeper lateral movement throughout the victim’s digital environment and long-term intelligence gathering.
The credential replay operations were not random; they were highly targeted, reflecting the GRU’s strategic interests. The campaign primarily focused on the energy sector supply chain, hitting both direct operators of critical infrastructure and their third-party service providers. This demonstrates a sophisticated understanding of modern interconnected ecosystems, where compromising a smaller service provider can grant access to a much larger and more critical target. The geographic scope of these attacks was broad, spanning North America, Western and Eastern Europe, and the Middle East, affecting a wide array of energy, technology, and telecommunications companies. While many of these credential replay attempts were reportedly unsuccessful, they provided invaluable insight into the adversary’s ultimate goals. The attempts confirmed the hypothesis that the initial edge device compromises were a means to an end—a preparatory step to fuel subsequent, more intrusive attacks aimed at gaining a profound and lasting foothold within networks of high strategic importance.
3. Uncovering Operational Overlaps and Defenses
Further analysis of the campaign’s infrastructure revealed intriguing connections to other known threat clusters, suggesting a complex and possibly collaborative operational structure. A key piece of evidence was the overlap of a specific IP address (91.99.25[.]54) with a separate intrusion set tracked as Curly COMrades, which is also believed to operate with interests aligned with Russia. This shared infrastructure has led to the hypothesis that these two clusters may represent complementary components of a single, broader GRU campaign. This model suggests a potential division of labor, a tactic commonly observed in sophisticated state-sponsored operations. Under this structure, one subcluster, like the one focused on edge devices, could be responsible for gaining initial network access and executing the initial compromise. Simultaneously, another subcluster, such as Curly COMrades, could be tasked with the subsequent phases of the attack, including establishing host-based persistence, evading detection, and carrying out the ultimate mission objectives. This specialization allows for greater efficiency, security, and expertise within the overall operation, aligning perfectly with established patterns of GRU cyber activity.
In response to this sustained threat, Amazon identified and notified affected customers whose cloud infrastructure was being leveraged and took direct action to disrupt the threat actor’s active operations. However, the nature of this campaign underscores that cloud provider actions alone are insufficient; customer vigilance is paramount. Organizations were strongly advised to conduct thorough audits of all network edge devices, specifically searching for any unexpected or unauthorized packet capture utilities that could indicate a compromise. Implementing strong authentication measures, such as multi-factor authentication, across all services was highlighted as a critical defense to thwart credential replay attacks. Furthermore, security teams were urged to actively monitor for authentication attempts originating from unexpected geographic locations and to maintain heightened awareness for the distinct patterns of credential replay attacks against their online services. These defensive measures, focused on securing the network perimeter and validating user identity, represented the most effective strategies to counter this adaptive and persistent adversary.