Russia’s GRU Linked to Breaches of Critical Infrastructure Cloud Systems

Cybersecurity experts have issued a warning regarding the vulnerabilities posed by misconfigured network edge devices, emphasizing that these oversights can enable hackers to repurpose routers or VPNs for malicious activities without relying on sophisticated exploits. This advisory follows a security alert concerning ongoing Russian cyber operations targeting essential infrastructure across North America, Europe, and the Middle East.

Since 2021, Russian state-sponsored hackers have focused their efforts on breaching enterprise routers, VPNs, network management appliances, and collaborative platforms primarily used by energy sector organizations. According to Amazon Web Services’ threat intelligence, other key targets in this campaign include telecommunications providers and various types of critical infrastructure.

The cyber operations have been linked to the GRU, the Russian military intelligence. This attribution is supported by telemetry data associated with the well-known hacking group Sandworm, also recognized as APT44. Researchers noted that their methodology incorporates tradecraft termed “Curly COMrades,” which may involve multiple teams within the GRU working collaboratively.

Initial phases of the campaign saw attackers exploit both zero-day vulnerabilities and known exploits to infiltrate networks; however, over time, their focus has shifted towards leveraging device misconfigurations. CJ Moses, Chief Information Security Officer at Amazon Integrated Security, indicates that this shift allows adversaries to achieve similar operational goals—such as harvesting credentials and moving laterally within targeted networks—while minimizing their risk exposure and resource allocation.

Amazon’s findings reveal that hacker access predominantly exploited misconfigured edge devices hosted on AWS, rather than flaws inherent in AWS itself. Successful attacks yielded persistent access to victims’ Elastic Compute Cloud (EC2) instances running network appliance software, enabling attackers to capture sensitive data, including login credentials. This data can facilitate replay attacks, where intercepted data is utilized to gain unauthorized access to systems.

In response to these threats, Amazon notified affected customers and provided assistance in remediating compromised EC2 instances. The cloud provider also outlined immediate actions that businesses should prioritize for 2026, such as conducting thorough audits of network edge devices and ensuring robust authentication measures like multi-factor authentication.

Recent analysis from Bitdefender has unveiled a threat actor known as Curly COMrades, which specializes in exfiltrating data using malware capable of leveraging virtualization features within compromised Windows 10 environments. By utilizing Hyper-V to create concealed remote operating environments, these attackers evade many traditional detection mechanisms.

To counteract these sophisticated tactics, organizations must implement comprehensive network surveillance, particularly monitoring for unusual traffic patterns and utilizing host-based network inspection to detect any unusual exit traffic from virtual machines.

In assessing the methods employed in these malicious activities, several tactics from the MITRE ATT&CK framework are applicable, including initial access through misconfigured devices, persistence via unauthorized user credentials, and lateral movement enabled by leveraging existing network configurations. Businesses must remain vigilant and proactive in their cybersecurity posture to mitigate similar threats in the future.