Overview
- Amazon disclosed a campaign running from 2021 to 2025 and attributed it with high confidence to GRU-linked clusters, noting overlaps with Sandworm/APT44 and Bitdefender’s Curly COMrades.
- The targeting centers on the energy sector supply chain and other critical infrastructure, including utilities, managed service providers, telecoms, collaboration platforms and source-code repositories across North America, Europe and the Middle East.
- In 2025 the actor reduced zero-day and N-day exploitation in favor of compromising customer-managed edge devices, many deployed as virtual appliances with exposed management interfaces.
- Post-compromise activity included persistent connections to EC2-hosted appliances, packet capture to collect credentials and credential-replay attempts against victims’ online services for lateral movement.
- Amazon says it has been disrupting the operations on AWS, notifying and remediating affected customers, sharing indicators with partners and law enforcement, and urging audits of edge devices, strong authentication, segmentation and AWS logging and monitoring controls.