Amazon’s threat intelligence team has revealed details of a “multiyear-long” Russian state-led campaign targeting critical infrastructure in the West from 2021 to 2025.
Targets of the campaign included organizations in the energy sector in Western countries, critical infrastructure providers in North America and Europe, and companies with cloud-hosted network infrastructure. This activity is believed with high confidence to be the work of APT44, a group affiliated with GRU, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear.
This activity was notable for using a misconfigured customer network edge device with an exposed management interface as the initial access vector, indicating a shift in attacks targeting critical infrastructure, the tech giant said, as N-day and zero-day vulnerability exploitation activity declines over time.
“This tactical adaptation reduces risk and resource expenditure for attackers while enabling the same operational outcomes, credential collection, and lateral movement into victim organizations’ online services and infrastructure,” said CJ Moses, chief information security officer (CISO) at Amazon Integrated Security.
This attack was found to utilize the following vulnerabilities and tactics over a five-year period.
2021-2022 – Exploitation of WatchGuard Firebox and XTM flaws (CVE-2022-26318) and targeting of misconfigured edge network devices 2022-2023 – Exploitation of Atlassian Confluence flaws (CVE-2021-26084 and CVE-2023-22518) and targeting of misconfigured edge networks Continuous Targeting of Devices 2024 – Exploitation of Veeam Flaw (CVE-2023-27532) and Continuous Targeting of Misconfigured Edge Network Devices 2025 – Continuous Targeting of Misconfigured Edge Network Devices
According to Amazon, the intrusion identified enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.
Given attackers’ ability to strategically position themselves at the network edge and intercept sensitive information in transit, these efforts are likely designed to facilitate large-scale credential collection. Telemetry data also revealed what was described as a coordinated attempt to target misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure.
“Network connectivity analysis showed that attacker-controlled IP addresses established persistent connections to compromised EC2 instances operating customer network appliance software,” Moses said. “Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.”
Additionally, Amazon said it observed credential replay attacks against victim organizations’ online services as part of an attempt to gain a deeper foothold into targeted networks. Although these attempts are assessed as unsuccessful, they lend weight to the aforementioned hypothesis that the attackers are harvesting credentials from the compromised customer network infrastructure for subsequent attacks.
The entire attack unfolds as follows.
Compromise a customer’s network edge device hosted on AWS Leverage native packet capture capabilities Collect credentials from intercepted traffic Replay credentials against the victim organization’s online services and infrastructure Establish persistent access for lateral movement
The credential reclamation operation targets energy, technology/cloud services, and communications service providers in North America, Western Europe, Eastern Europe, and the Middle East.
“This target setting demonstrates our continued focus on the energy sector supply chain, including both direct operators and third-party service providers with access to critical infrastructure networks,” Moses said.
Interestingly, this set of intrusions also overlaps in infrastructure with another cluster that Bitdefender tracks under the name Curly COMrades, which is believed to be operating with interests aligned with Russia since late 2023. This raises the possibility that the two clusters may be conducting complementary activities within a broader campaign carried out by the GRU.
“This potential division of operations is consistent with the GRU operational pattern of specialized sub-clusters supporting broader campaign objectives, with one cluster focusing on network access and initial compromise and another cluster handling host-based persistence and evasion,” Moses said.
Amazon said it has identified and notified affected customers and disrupted the efforts of an active attacker targeting its cloud services. We recommend that organizations audit all network edge devices for unexpected packet capture utilities, implement strong authentication, monitor authentication attempts from unexpected geographic locations, and monitor for credential replay attacks.
Source link
