Amazon says Russian-backed threat groups were responsible for five-year-long attacks on edge devices – and it shows a ‘clear evolution in tactics’

Russian-backed hacker groups are exploiting misconfigured edge devices – now preferring that tactic over hunting down traditional vulnerabilities to gain access to company networks.

That's according to an end-of-year report by Amazon Threat Intelligence, which included details of a nearly five-year-long campaign by Russian state-sponsored hackers that AWS said marked a pivot in tactics.

Now, the primary initial access vector has become misconfigured customer network edge devices, according to AWS Security CISO CJ Moses, with a decline in traditional vulnerability exploitation.

"This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure," Moses noted in a post on the AWS security blog.

Amazon isn't the first to spot a shift to edge devices. Sophos noted in April that edge devices like firewalls and routers were the main initial attack vector for 30% of incidents last year, while governmental security agencies issued guidance about vulnerabilities in edge devices back in February.

Last year, Fortinet's FortiGate edge devices were exploited by China-backed hackers, and the FBI warned that Ubiquity EdgeRouters were targeted via a wide-ranging hacking campaign.

How the edge campaign unfolded

According to Amazon, hackers targeted enterprise routers, VPN concentrators and remote access gateways, network management appliances, and cloud-based project management systems, as well as collaboration and wiki platforms.

Moses said the evidence suggested that the hackers were using packet capture and traffic analysis to target network edge devices. This involves attackers compromising an edge device hosted on AWS, capturing packets to harvest credentials, and then using those to penetrate an organization's services or infrastructure, gaining access to wider systems.

AWS telemetry suggested the attackers maintained persistent connections, allowing for data to be stolen.

"Targeting the 'low-hanging fruit' of likely misconfigured customer devices with exposed management interfaces achieves the same strategic objectives [as vulnerability exploitation], which is persistent access to critical infrastructure networks and credential harvesting for accessing victim organizations’ online services," Moses added.

Notably, the company revealed those attacks included customer network edge devices hosted on AWS.

"This was not due to a weakness in AWS; these appear to be customer misconfigured devices. Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software," Moses noted.

That said, AWS did take action. For example, the cloud giant notified affected customers that they were compromised, fixed compromised EC2 instances, and alerted network alliance vendors.

"Through coordinated efforts, since our discovery of this activity, we have disrupted active threat actor operations and reduced the attack surface available to this threat activity subcluster," Moses added.

To protect edge devices against this style of attacks, organizations must secure and monitor their edge devices, Moses advised, keeping watch for unexpected packet capture files or utilities and enforcing strong authentication – in particular those working in the energy sector or critical national infrastructure.

A 'clear evolution in tactics'

This particular string of attacks dates back to 2021 and appears to be associated with Russia's Main Intelligence Directorate, Moses said.

Similarly, the campaign focused primarily on critical national infrastructure in the West, targeting the energy sector and its supply chain in particular.

Moses traced a timeline back to 2021's WatchGuard exploitation, saying that's when Amazon first spotted the hackers targeting misconfigured devices.

That continued in the next few years with misconfigured devices targeted alongside exploits such as the Confluence and Veeam flaws, but by 2025 the hackers' success with edge devices led to that taking centre stage with zero-day exploitation activity declining.

"The campaign demonstrates a clear evolution in tactics," Moses said.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.