Russian GRU Hackers Target Western Firms via Edge Devices
▼ Summary
– A Russian state-sponsored threat actor, attributed with high confidence to the GRU, has shifted tactics from exploiting software vulnerabilities to targeting misconfigured customer network edge devices.
– This campaign has targeted critical infrastructure organizations in Western nations, particularly in the energy sector, between 2021 and 2025.
– The tactical shift to exploiting device misconfigurations, including on AWS-hosted devices, achieves the same goals of persistent access and credential harvesting while reducing the actor’s exposure.
– The operation shows infrastructure overlaps with other GRU-linked groups like Sandworm and ‘Curly COMrades’, suggesting complementary operations within a broader GRU campaign.
– Researchers assess this represents a division of labor, with specialized subclusters handling network access and host-based persistence, aligning with known GRU operational patterns.
A sophisticated and persistent cyber campaign, attributed to Russian military intelligence, has pivoted its strategy to exploit misconfigured network edge devices in Western critical infrastructure. This shift marks a significant evolution from the group’s previous reliance on software vulnerabilities, allowing it to maintain access to sensitive networks while reducing its own operational footprint. Security researchers at Amazon Threat Intelligence have documented this tactical change, linking the activity with high confidence to Russia’s Main Intelligence Directorate, known as the GRU. The campaign has targeted energy sector organizations and infrastructure providers across North America and Europe over several years.
Historically, this unidentified threat actor gained initial access by exploiting known vulnerabilities in widely used software. Their methods included targeting flaws in WatchGuard firewalls, Atlassian Confluence servers, and Veeam backup systems. However, throughout 2025, the group’s focus moved decisively toward compromising misconfigured customer-owned edge devices. These devices, which can include enterprise routers, VPN gateways, and network management appliances, often serve as the digital front door to an organization. By exploiting weak configurations rather than software bugs, the attackers achieve the same goal: a stealthy foothold inside critical networks.
It is crucial to understand that these misconfigurations exist on the customer’s side of the network, not within the underlying cloud infrastructure itself. The group has targeted devices hosted on various platforms, including Amazon Web Services (AWS). This approach provides them with persistent access for credential harvesting and lateral movement into an organization’s core online services and infrastructure. By shifting to this method, the actors lower their exposure and resource expenditure, making their operations more efficient and harder to trace.
The group employs a range of techniques once inside a network. Beyond establishing persistence, they systematically harvest credentials from the compromised infrastructure. These stolen credentials are then used in replay attacks against the victim’s other online services, allowing the hackers to expand their control under the guise of legitimate user activity. This method demonstrates a deep understanding of network architecture and identity management systems.
Attribution to the GRU is based on overlaps in the digital infrastructure used in these attacks with previous operations linked to known GRU-associated groups like Sandworm. Furthermore, this latest campaign shows connections to another cluster tracked by cybersecurity firm Bitdefender as ‘Curly COMrades.’ That group was observed using sophisticated methods to evade detection, including abusing Microsoft’s Hyper-V technology to deploy custom malware implants. Analysts assess that these may be complementary operations within a broader GRU campaign, with different subclusters specializing in network access versus host-based persistence and evasion. This division of labor aligns with known GRU operational patterns, where specialized teams work in concert to support overarching strategic objectives. The continued targeting of Western critical infrastructure underscores the persistent and adaptive nature of state-sponsored cyber threats.
(Source: Info Security)
