Amazon Alerts: Russia’s Sandworm Changes Its Tactics

Targeting Critical Infrastructure: A Closer Look at Russian Cyber Threats

In recent years, the functionality and security of critical infrastructure have been increasingly threatened by sophisticated cyber operations. Notably, attackers linked to Russia’s Main Intelligence Directorate (GRU) have been focal in targeting Western-based critical infrastructure, especially within the energy sector. This ongoing campaign, detailed in a report by Amazon Threat Intelligence, traces back to 2021 and has undergone notable shifts in tactics as the situation unfolds.

Evolving Tactics: From Vulnerability Exploitation to Misconfiguration

Initially, these cyber operations leaned heavily on exploiting vulnerabilities within systems. The attackers utilized a range of strategies targeting known vulnerabilities from 2021 to 2024, including specific exploits like CVE-2022-26318, a serious issue affecting WatchGuard, and several vulnerabilities impacting Confluence and Veeam.

However, as of earlier this year, a critical change was observed. The GRU-affiliated threat group transitioned away from vulnerability exploitation toward a strategy centered on misconfigured network edge devices hosted on Amazon Web Services (AWS). CJ Moses, CISO of Amazon Integrated Security, pointed out that this shift allows for a more streamlined approach, significantly lowering the operational costs associated with their attacks while maintaining similar strategic objectives.

Compromised Devices: The Gateway to Network Intrusions

The attackers typically initiate intrusions through compromised network edge devices. This includes enterprise routers, virtual private networks (VPNs), remote-access gateways, and other critical networking appliances, all reliant on proper configuration by users. Amazon emphasizes that the issue lies not within their infrastructure but with the misconfiguration of devices by customers.

Once the attackers gain access to these devices, they focus on capturing data and credentials traversing the compromised networks. This tactic facilitates further intrusions into the victim organizations, potentially compromising additional infrastructure and services.

Impact on the Energy Sector and Beyond

The primary focus of these cyber assaults has been the energy industry, specifically electric utilities and energy providers. However, the scope of targeted sectors has broadened, encompassing managed security service providers, collaboration platforms, source code repositories, and cloud-based infrastructure across North America and Europe. Telecom providers, vital for communication and connectivity, have also found themselves in the crosshairs.

Amazon’s report has indicated a significant degree of overlap between the infrastructure used by these attackers and operations associated with Sandworm, also labeled as APT44 and Seashell Blizzard. This intersection strengthens the attribution of these malicious activities to Russia’s GRU.

A Notorious Threat Actor: The Legacy of Sandworm

The Sandworm group has earned its reputation as one of the most notorious state-sponsored cyber threat actors over the last decade. Their operations have been characterized by targeting fields critical to national security, including government, defense, and civil society organizations. Additionally, Sandworm has repeatedly sought to disrupt electoral systems in NATO member states and has left a mark on Ukraine’s energy distribution networks through successful cyberattacks.

Conclusion: A Growing Cyber Threat Landscape

As this ongoing cyber campaign unfolds, it highlights the urgent need for heightened vigilance and robust security measures among organizations that form the backbone of critical infrastructure. With the shift in tactics from exploiting vulnerabilities to manipulating user configurations, there’s a pressing call for improved security practices and a focus on education around misconfiguration risks. Understanding these nuances can empower organizations to better defend themselves against the evolving landscape of cyber threats.

---

By Matt Kapko
Matt Kapko is a reporter at CyberScoop, specializing in topics encompassing cybercrime, ransomware, and vulnerability management. With a journalism and history degree from Humboldt State University, Matt has contributed to various publications including Cybersecurity Dive and CIO.