For several years, Russia’s Main Intelligence Directorate (GRU) has conducted a large-scale cyber espionage campaign targeting the energy infrastructure of Western countries. This conclusion was reached by Amazon Web Services in a new report from its Threat Analysis Group, as reported by The Cyber Express.
Analysts attribute this activity to the Sandworm group, also known as APT44, which the company assesses as closely linked to the Russian GRU. The report states that the attacks have been ongoing since at least 2021 and continue to the present.
AWS’s investigation found that initial access to victim systems was not achieved through vulnerabilities in the cloud platform itself, but rather through misconfigured client devices. These included network edge and virtual devices that organizations had not adequately secured. These configuration errors became the key entry points for the attacks.
The goal of the campaign was to steal credentials and maintain long-term covert access to victim systems. This was done by compromising third-party network device software, including devices operating on Amazon Elastic Compute Cloud platforms. The stolen credentials allowed attackers to expand access, move laterally within networks, and escalate privileges, especially in critical infrastructure operator environments.
AWS noted that the GRU-linked group used tactics, techniques, and procedures (TTPs) consistent with previous Sandworm operations. These included exploiting client-side configuration errors for initial access, establishing persistent network connections to attacker-controlled IP addresses, and systematically collecting credentials as the ultimate objective of the attacks.
Analysis of the infrastructure used in these operations revealed overlaps with previously known Sandworm campaigns, including the destructive attacks on Ukraine’s energy system in 2015 and 2016. This allowed AWS to link the current espionage activity to the group with high confidence. Further confirmation came from recent findings by Cyble, whose experts discovered sophisticated backdoors in security systems, with methods reminiscent of the Sandworm group.
The report emphasizes a focus on the global supply chain of the energy sector. Targets included power companies, energy suppliers, and managed security service providers serving energy operators, as well as technology and cloud platforms used to manage critical infrastructure. Additionally, attacks affected telecommunications operators in various regions.
According to AWS, the operations were global in scope, covering North America, Western and Eastern Europe, and the Middle East. Analysts note that this indicates a strategic objective of securing access to operational technologies and corporate networks controlling electricity distribution and energy flows in NATO countries and their allies.
