Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Network Firewalls, Network Access Control
Misconfigured Customer Network Edge Devices Under Attack, Researchers Warn
Cybersecurity experts are sounding the alarm as Russian hackers exploit misconfigured network-edge devices to facilitate unauthorized access into critical infrastructure systems. According to intelligence shared by Amazon Web Services, these vulnerabilities are increasingly targeted in a campaign that has been ongoing since 2021.
The focus of this attack is multifaceted, including enterprise routers, VPNs, network management tools, and collaboration platforms serving electric utilities and energy providers across North America, Europe, and the Middle East. Additionally, telecommunications firms are also at significant risk, prompting serious concerns about the potential fallout from such breaches.
Researchers link these activities to GRU, the Russian military’s foreign intelligence agency, mainly based on telemetry previously associated with the hacking group dubbed Sandworm. This group, also referred to as APT44 and Seashell Blizzard, operates using sophisticated methods including a tradecraft known as “Curly COMrades,” which suggests multiple teams may be working collaboratively to execute these operations.
Initially, the hackers leveraged zero-day vulnerabilities for network infiltration; however, in recent years they have shifted their strategy to exploit misconfigurations. CJ Moses, Amazon’s Chief Information Security Officer, highlighted that this tactical evolution maintains operational effectiveness while minimizing the risk of exposure to the attackers.
AWS investigation indicates that many breaches stemmed from customer-operated edge devices that were misconfigured rather than from weaknesses in AWS services. These compromises resulted in unauthorized persistent access to systems running network appliance software in Elastic Compute Cloud (EC2) instances, enabling data theft including sensitive credentials used in replay attacks.
In an effort to mitigate these risks, AWS informed affected clients and provided guidance on securing compromised instances, including immediate priority actions for 2026. Recommendations stress the importance of auditing network devices, activating multi-factor authentication, and monitoring for signs of unauthorized access.
Bitdefender recently unveiled additional information about the Curly COMrades threat actor, which uses malware such as CurlyShell to exfiltrate data. This group employs virtualization techniques on compromised systems, allowing them to create covert operating environments that evade traditional detection efforts.
By leveraging virtualization features, attackers can establish long-term access to compromised networks, often bypassing endpoint detection and response (EDR) systems. This emphasizes the need for comprehensive security measures, including host-based network monitoring, to effectively counter such sophisticated attacks.
