TZUTC: -0500
MSGID: 1845.consprcy@1:2320/105 2da7f910
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Amazon says Russian hackers behind major cyber campaign to target Western
energy sector

Date:
Tue, 16 Dec 2025 17:20:00 +0000

Description:
For years, the GRU was snooping in critical infrastructure firms by abusing
misconfigurations and zero-days, Amazon says.

FULL STORY

For almost half a decade, Russian state-sponsored threat actors have been
abusing misconfigurations in network gear, as well as different
vulnerabilities, to establish persistence in key infrastructure organizations
in the west, experts have warned. 

In a new threat report (v a The Register ), CJ Moses, Chief Information
Security Officer (CISO) at Amazon Integrated Security,  highlighted the scale
of the campaign, which has been ongoing for several years. 

"The campaign demonstrates sustained focus on Western critical 
infrastructure, particularly the energy sector, with operations spanning 2021
through the present day," Moses said.

Hiding in plain sight 

In most cases, the threat actors are looking at enterprise routers , VPN
concentrators, remote access gateways, and network management appliances. 

While they have been abusing multiple vulnerabilities, including many 
zero-day flaws, they are primarily focused on abusing misconfigurations. This
is, Moses argues, because abusing misconfigurations leaves a significantly
smaller footprint and as such is a lot more difficult to spot and prevent. 

Some of the edge devices being targeted are hosted as virtual appliances on
AWS, the report further states, adding that the company is hard at work
continually disrupting the campaigns as soon as malicious activity is 
spotted. 

Trying to attribute the campaign to a specific threat actor turned out to be
somewhat challenging, but AWS has reason to believe this is a broader Main
Intelligence Directorate (GRU) campaign, with multiple groups involved. 

One of the entities being linked to the attacks is called Curly COMrades, a
group that has, among other things, been hiding their malware in Linux-based
VMs deployed on Windows devices. 

In November this year, security researchers from Bitdefender reported Curly
COMrades running remote commands to enable the microsoft-hyper-v
virtualization feature and disable its management interface. Then, they used
the feature to download a lightweight Alpine Linux-based VM containing
multiple malware implants. 

"Going into 2026, organizations must prioritize securing their network edge
devices and monitoring for credential replay attacks to defend against this
persistent threat," Moses concluded. 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/amazon-says-russian-hackers-behind-majo
r-cyber-campaign-to-target-western-energy-sector

$$
--- SBBSecho 3.28-Linux
 * Origin: Capitol City Online (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426