New details emerge from an Amazon Threat Intelligence report that highlight an alarming shift in Russian government-backed cyber operations.
High-level 0-day exploits, often attributed to state-sponsored actors, have seen a significant decline, according to Amazon data for the period 2021-2025.
Previously, these groups were considered the primary perpetrators of such operations. However, they now appear to be focusing on a different approach, aiming to exploit opportunities overlooked by system administrators.
Abandoning their previous strategy of complex software exploits, the group associated with the fearsome Sandworm (also known as APT44 ) has adopted a more stealthy and direct approach.
Based on consistent targeting patterns and infrastructure overlap, Amazon Threat Intelligence assesses with “high confidence that this cluster of activity is associated with the Russian Main Intelligence Directorate (GRU).” This pattern involves targeting poorly configured edge network devices to compromise critical infrastructure across the West.
This report highlights that a key strategic element has allowed these entities to secure a stable presence within essential networks, without significantly increasing their visibility.
“Targeting low-hanging fruit, such as likely misconfigured customer devices with exposed management interfaces, achieves the same strategic goals,” the report notes . By targeting out-of-date or poorly secured routers, VPN concentrators, and network management devices, attackers can harvest credentials and move laterally without burning expensive software exploits.
“The time lag between device compromise and authentication attempts against victim services suggests passive collection rather than active credential theft,” analysts noted.
These stolen credentials are then weaponized in “systematic attacks against the online services of victim organizations,” allowing spies to move from network devices to cloud collaboration platforms and project management systems.
The campaign’s impact overlaps with operations previously attributed to Sandworm, a group known for its destabilizing attacks on the Ukrainian power grid. Researchers also found links to a cluster that Bitdefefem tracks as ” Curly COMrades,” suggesting a potential division of labor in which one team manages initial access while another manages persistence.
Once inside a compromised edge device, attackers don’t just target and steal; they listen . The report suggests the group uses native packet capture capabilities to passively intercept authentication traffic.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
