Russian state hackers targeted Western critical infrastructure for years, Amazon says
Amazon disclosed a years-long Russian state-backed cyber campaign targeting Western critical infrastructure from 2021 to 2025. Amazon Threat Intelligence reports a long-running Russian state-backed campaign (2021–2025) targeting Western critical infrastructure. Threat actors shifted from exploiting vulnerabilities to abusing misconfigured network edge devices, enabling credential theft and lateral movement with lower risk. The researchers linked the […]
Pierluigi Paganini
December 17, 2025
Amazon Threat Intelligence reports a long-running Russian state-backed campaign (2021–2025) targeting Western critical infrastructure. Threat actors shifted from exploiting vulnerabilities to abusing misconfigured network edge devices, enabling credential theft and lateral movement with lower risk. The researchers linked the campaign with high confidence to GRU/Sandworm (aka APT44 and Seashell Blizzard) activity, the attacks heavily target the energy sector.
Related breach coverage
- Amazon: Russian Hackers Now Favor Misconfigurations in Critical Infrastructure Attacks2025-12-16
After years of exploiting zero-day and n-day vulnerabilities, Russian state-sponsored threat actors are shifting to misconfigured devices. The post Amazon: Russian Hackers Now Favor Misconfigurations in Critical Infrastructure Attacks appeared first on SecurityWeek.
- Russia’s GRU hackers targeting misconfigured network edge devices in attacks on energy sector, Amazon says2025-12-16
In a press briefing this week, Amazon officials said the years-long campaign “represents a significant evolution in critical infrastructure targeting."
- Amazon disrupts Russian GRU hackers attacking edge network devices2025-12-16
The Amazon Threat Intelligence team has disrupted active operations attributed to hackers working for the Russian foreign military intelligence agency, the GRU, who targeted customers' cloud infrastructure. [...]
- Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S.2026-04-11
Censys researchers found 5,219 exposed Rockwell PLCs online, mostly in the U.S., urging defenders to secure or disconnect them. On April 7, 2026, U.S. agencies, including FBI, CISA, and NSA, warned of Iran-linked APTs exploiting internet-exposed Rockwell Automation PLCs. Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. […]