Full Report
Researchers said attackers linked to Russia’s military intelligence agency have moved from vulnerability exploits to focus on poorly configured network edge devices to keep its access to target networks. The post Amazon warns that Russia’s Sandworm has shifted its tactics appeared first on CyberScoop.
Analysis Summary
# Threat Actor: SANDWORM (APT44 / Seashell Blizzard)
## Attribution & Identity
* **Attribution:** Linked to Russia’s Main Intelligence Directorate (GRU).
* **Aliases/Known Associations:** Sandworm, APT44, Seashell Blizzard.
## Activity Summary
Sandworm is engaged in an ongoing campaign targeting Western-based critical infrastructure, with a special focus on the energy sector, dating back to 2021. In 2025, the group simplified its operations by shifting focus away from complex vulnerability exploitation toward leveraging poorly configured network edge devices hosted on Amazon Web Services (AWS) as the primary initial access vector. This shift allows them to achieve strategic goals at a lower cost and with less risk of operational exposure compared to more detectable vulnerability exploitation. Amazon Threat Intelligence has shared remediation and investigation intelligence with affected customers and partners.
## Tactics, Techniques & Procedures
The TTPs have evolved:
* **Historical/Initial Access (2021-2024):** Relied heavily on vulnerability exploitation.
* Exploited CVE-2022-26318 (WatchGuard)
* Exploited CVE-2021-26084 (Confluence)
* Exploited CVE-2023-22518 (Confluence)
* Exploited CVE-2023-27532 (Veeam)
* **Current/Recent (2025 Focus):** Shifted to targeting misconfigurations.
* Initial Access via compromised customer network edge devices hosted on AWS (e.g., enterprise routers, routing infrastructure, large organization VPNs, remote-access gateways, network-management appliances).
* Post-compromise tactics involve capturing data traversing the network to steal credentials.
* Reuse of stolen credentials to maintain access across victim organizations' other services and infrastructure.
* **MITRE ATT&CK IDs:** Not explicitly listed in the provided text.
## Targeting
* **Sectors:** Critical infrastructure, specifically the energy sector (electric utilities, energy providers), managed security service providers specializing in energy, collaboration platforms, source code repositories, telecom providers, and organizations with cloud-based network infrastructure.
* **Geography:** Western-based organizations, critical infrastructure providers in North America and Europe, and targeting across multiple regions for telecom providers. Historically targets Russia’s near abroad, Western electoral systems, and institutions in NATO member countries.
* **Victims:** Affected customers identified by Amazon, electric utilities, energy providers, and MSSPs specializing in the energy sector.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly mentioned in the provided context.
* **Infrastructure:** Malicious infrastructure overlaps with known Sandworm operations. Initial access utilized network edge devices hosted on Amazon Web Services (AWS).
## Implications
The shift from complex N-day/zero-day exploitation to targeting customer configuration errors (misconfigurations) lowers the barrier to entry for the actor, reduces their risk profile, and indicates a sustained, cost-effective approach to maintaining long-term access to high-value critical infrastructure targets. Sandworm remains one of the most notorious state-sponsored threat groups, historically associated with disrupting power distribution in Ukraine.
## Mitigations
* **Secure Network Edge/Cloud Configuration:** Organizations must rigorously review and correctly configure network edge devices, enterprise routers, VPNs, remote-access gateways, and network-management appliances hosted on cloud environments like AWS, as improper setup is now a primary entry point.
* **Credential Hygiene:** Implement robust credential management following initial compromise, as attackers prioritize credential theft for lateral movement and persistent access.
* **Vulnerability Management:** Although exploitation has decreased, continued patching for known vulnerabilities (N-days) remains necessary to counter their historical activity baseline.