1. Forum
  2. FidoNet
  3. CONSPRCY

  • Amazon says Russian hacke

    From Mike Powell@1:2320/105 to All on Wed Dec 17 09:19:07 2025
    Amazon says Russian hackers behind major cyber campaign to target Western energy sector

    Date:
    Tue, 16 Dec 2025 17:20:00 +0000

    Description:
    For years, the GRU was snooping in critical infrastructure firms by abusing misconfigurations and zero-days, Amazon says.

    FULL STORY

    For almost half a decade, Russian state-sponsored threat actors have been abusing misconfigurations in network gear, as well as different vulnerabilities, to establish persistence in key infrastructure organizations in the west, experts have warned.

    In a new threat report (v a The Register ), CJ Moses, Chief Information Security Officer (CISO) at Amazon Integrated Security, highlighted the scale of the campaign, which has been ongoing for several years.

    "The campaign demonstrates sustained focus on Western critical
    infrastructure, particularly the energy sector, with operations spanning 2021 through the present day," Moses said.

    Hiding in plain sight

    In most cases, the threat actors are looking at enterprise routers , VPN concentrators, remote access gateways, and network management appliances.

    While they have been abusing multiple vulnerabilities, including many
    zero-day flaws, they are primarily focused on abusing misconfigurations. This is, Moses argues, because abusing misconfigurations leaves a significantly smaller footprint and as such is a lot more difficult to spot and prevent.

    Some of the edge devices being targeted are hosted as virtual appliances on AWS, the report further states, adding that the company is hard at work continually disrupting the campaigns as soon as malicious activity is
    spotted.

    Trying to attribute the campaign to a specific threat actor turned out to be somewhat challenging, but AWS has reason to believe this is a broader Main Intelligence Directorate (GRU) campaign, with multiple groups involved.

    One of the entities being linked to the attacks is called Curly COMrades, a group that has, among other things, been hiding their malware in Linux-based VMs deployed on Windows devices.

    In November this year, security researchers from Bitdefender reported Curly COMrades running remote commands to enable the microsoft-hyper-v
    virtualization feature and disable its management interface. Then, they used the feature to download a lightweight Alpine Linux-based VM containing
    multiple malware implants.

    "Going into 2026, organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat," Moses concluded.

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/amazon-says-russian-hackers-behind-majo r-cyber-campaign-to-target-western-energy-sector

    $$
    --- SBBSecho 3.28-Linux
    * Origin: Capitol City Online (1:2320/105)