- AWS says Russian GRU-affiliated groups spent years exploiting misconfigured edge devices to persist in Western critical infrastructure
- Activity overlaps with Curly COMrades, whose tool abuses Hyper-V and Linux VMs for stealth persistence
- Amazon Urges Edge Auditing, Credential Checking, and Suspicious Admin Portal Access Monitoring
For nearly half a decade, Russian state-sponsored threat actors have exploited misconfigurations in network equipment, as well as various vulnerabilities, to establish persistence in key infrastructure organizations in the West, experts have warned.
In a new threat report (v-one The register), CJ Moses, Chief Information Security Officer (CISO) at Amazon Integrated Security, highlighted the scale of the campaign, which has been ongoing for several years.
“The campaign demonstrates sustained focus on Western critical infrastructure, particularly the energy sector, with operations extending from 2021 to the present,” Moses said.
Hiding in plain sight
In most cases, the threat actors are looking at corporate routers, VPN concentrators, remote access gateways and network management appliances.
While they have exploited numerous vulnerabilities, including many zero-day bugs, they are primarily focused on exploiting misconfigurations. This is, Moses argues, because misuse of misconfigurations leaves a significantly smaller footprint and as such is much harder to spot and prevent.
Some of the targeted edge devices are hosted as virtual appliances on AWS, the report further states, adding that the company is working hard to “continuously disrupt” the campaigns as soon as malicious activity is detected.
Trying to attribute the campaign to a specific threat actor proved somewhat challenging, but AWS has reason to believe this is a broader Main Intelligence Directorate (GRU) campaign, with multiple groups involved.
One of the entities linked to the attacks is called Curly COMrades, a group that, among other things, has hidden its malware in Linux-based VMs installed on Windows devices.
In November of this year, Bitdefender security researchers reported that Curly COMrades runs remote commands to enable the microsoft-hyper-v virtualization feature and disable its management interface. They then used the feature to download a lightweight Alpine Linux-based VM containing several malware implants.
“Going into 2026, organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat,” concluded Moses.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
