Russian Sandworm Hackers Target Misconfigured AWS Edge Devices in Multi-Year Campaign
Amazon’s Threat Intelligence unit has confirmed that Russian state-sponsored hackers, identified as the Sandworm group (linked to Russia’s GRU military intelligence), conducted a yearslong cyberattack campaign in 2025 targeting misconfigured network edge devices hosted on AWS infrastructure. The attacks focused on energy sector organizations and businesses with cloud-hosted network infrastructure, primarily in Western nations, North America, and Europe.
The hackers exploited exposed management interfaces on customer-owned edge devices such as enterprise routers, VPN concentrators, and remote access gateways to gain initial access, harvest credentials, and move laterally within victim networks. Amazon’s Chief Information Security Officer (CISO), CJ Moses, emphasized that the attacks were not due to AWS vulnerabilities but rather customer misconfigurations, which the threat actors leveraged to maintain persistent access while minimizing detection risks.
This campaign marks an evolution in Sandworm’s tactics, shifting from zero-day and N-day exploits (used in prior years, including WatchGuard and Veeam vulnerabilities in 2021–2024) to low-effort targeting of misconfigured devices a strategy Moses described as a "concerning adaptation" that achieves the same objectives with reduced resource expenditure. The group’s operations have spanned at least five years, with a sustained focus on critical infrastructure, particularly the energy sector.
Amazon has disrupted active threat operations and notified affected customers, though no AWS-specific patches are required. The company continues to collaborate with the security community to counter state-sponsored threats targeting cloud environments. Network analysis revealed that actor-controlled IP addresses established persistent connections to compromised EC2 instances running customer-managed network appliances.
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
"id": "AMA1768595116",
"linkid": "amazon-web-services",
"type": "Cyber Attack",
"date": "6/2021",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Energy, Cloud Infrastructure',
'location': ['Western nations',
'North America',
'Europe'],
'type': 'Energy sector organizations, businesses with '
'cloud-hosted network infrastructure'}],
'attack_vector': 'Exposed management interfaces on misconfigured network edge '
'devices',
'data_breach': {'sensitivity_of_data': 'High (critical infrastructure access)',
'type_of_data_compromised': 'Credentials, network access'},
'date_detected': '2025',
'description': 'Russian state-sponsored hackers (Sandworm group) conducted a '
'yearslong cyberattack campaign in 2025 targeting '
'misconfigured network edge devices hosted on AWS '
'infrastructure. The attacks focused on energy sector '
'organizations and businesses with cloud-hosted network '
'infrastructure, primarily in Western nations, North America, '
'and Europe. The hackers exploited exposed management '
'interfaces on customer-owned edge devices to gain initial '
'access, harvest credentials, and move laterally within victim '
'networks.',
'impact': {'data_compromised': 'Credentials, network access',
'operational_impact': 'Persistent access to victim networks, '
'lateral movement',
'systems_affected': 'Enterprise routers, VPN concentrators, remote '
'access gateways, EC2 instances running '
'customer-managed network appliances'},
'initial_access_broker': {'backdoors_established': 'Persistent access to '
'victim networks',
'entry_point': 'Exposed management interfaces on '
'misconfigured edge devices',
'high_value_targets': 'Energy sector, critical '
'infrastructure'},
'investigation_status': 'Ongoing (disruption of active operations, customer '
'notifications)',
'lessons_learned': 'Shift in Sandworm tactics from zero-day exploits to '
'low-effort targeting of misconfigured devices; importance '
'of securing edge devices and cloud-hosted network '
'infrastructure.',
'motivation': 'Cyber espionage, targeting critical infrastructure',
'post_incident_analysis': {'corrective_actions': 'Disruption of threat '
'operations, customer '
'notifications, '
'collaboration with security '
'community to counter '
'state-sponsored threats',
'root_causes': 'Customer misconfigurations in '
'network edge devices, lack of '
'proper security controls for '
'exposed management interfaces'},
'recommendations': 'Secure management interfaces on edge devices, enforce '
'proper configurations, monitor for persistent connections '
'from actor-controlled IPs, collaborate with cloud '
'providers for threat intelligence.',
'references': [{'source': 'Amazon Threat Intelligence Unit'}],
'response': {'communication_strategy': "Public disclosure by Amazon's Threat "
'Intelligence unit',
'containment_measures': 'Disruption of active threat operations, '
'customer notifications'},
'threat_actor': 'Sandworm (GRU-linked, Russian state-sponsored)',
'title': 'Russian Sandworm Hackers Target Misconfigured AWS Edge Devices in '
'Multi-Year Campaign',
'type': 'Cyber Espionage, Lateral Movement, Credential Harvesting',
'vulnerability_exploited': 'Customer misconfigurations (not AWS '
'vulnerabilities)'}