Amazon: Russian GRU hackers favor misconfigured devices over vulnerabilities

Amazon Threat Intelligence reports Russian GRU hackers are increasingly breaking into critical infrastructure by abusing misconfigured devices instead of exploiting software vulnerabilities.

Russian state-sponsored threat actors linked to the GRU (Glavnoye Razvedyvatelnoye Upravleniye, or Main Intelligence Directorate) are increasingly breaching into critical infrastructure networks by exploiting basic configuration mistakes rather than software vulnerabilities, according to new research from Amazon Threat Intelligence.

Amazon attributes the activity with high confidence to Sandworm, also tracked as APT44 and Seashell Blizzard. The campaign has targeted energy providers and other critical infrastructure organisations across North America and Europe since at least 2021. Amazon also identified infrastructure overlap with a group Bitdefender tracks as Curly COMrades, which appears to handle post-compromise activity.

Between 2021 and 2024, the attackers frequently relied on exploiting known and zero-day vulnerabilities to gain access. Amazon observed exploitation of flaws in WatchGuard firewalls, Atlassian Confluence, and Veeam backup software. In 2025, that ...