Amazon has said Russian state-linked hackers carried out a never-before-seen, much quieter multi-year campaign against Amazon Web Services and some customer environments, providing further proof that misconfigured edge devices can undermine even the most secure cloud platforms. The operation is said to be the work of Sandworm, a unit long believed by Western governments to be directed by Russia’s military intelligence agency.
What Amazon disclosed about the Sandworm AWS campaign
In a technical update from Amazon Threat Intelligence, the company detailed a prolonged campaign that aimed its sights on critical infrastructure in the West, focusing primarily on energy companies and providers that were using cloud-hosted network solutions. The activity was tied to Sandworm because of overlapping infrastructure, tooling, and tradecraft.
According to the Amazon team, these attackers targeted “low-hanging fruit” on customer networks, moving beyond classic vulnerability exploitation with initial access established by abusing insufficiently configured network edge devices. That tactical shift enabled constant access even as known software problems were patched, sustaining the campaign for the better part of five years.
Compromised resources were “remediated” and those affected were notified, Amazon said. The activity underscores the realities of the cloud’s shared responsibility model — AWS is responsible for securing the cloud, while customers are responsible for everything they put in it — including how devices and identities connect to cloud services.
How the intrusions worked across AWS and edge devices
The attackers were said to have preyed on exposed or poorly configured devices at the edge of a network — remote access gateways, VPN concentrators, and firewalls with internet-facing management interfaces, for example. Typical vulnerabilities include passwords not being changed or default passwords being used, unused accounts, and open services without access controls.
Once they gained access, operators used bona fide credentials and cloud-native functionality to burrow and hide — tactics often identified in the MITRE ATT&CK framework as valid account abuse and living off the land. This approach quiets the noisy exploit and makes detection more difficult, particularly when logging is low or not well maintained.
Security researchers from Mandiant, Microsoft, and CISA have all repeatedly warned this year that misconfigured edge devices are among the most common initial access vectors of state-sponsored actors. Amazon’s account confirms those conclusions, and underscores how attackers are starting to chain vulnerabilities across on-premises gear and cloud control planes.
Critical infrastructure in the crosshairs of Sandworm
Cloud is essential for analytics, remote operations, and third-party services used by energy companies and infrastructure providers. AWS, which has the biggest share of the global cloud infrastructure market, hosts millions of customer workloads, providing a target-rich environment for attackers who seek strategic access.
“Sandworm’s long history of disruptive operations includes attempts to harm both the industrial and political processes in a number of countries,” said John Hultquist, who leads FireEye’s intelligence analysis team.
Sandworm has previously been accused by multiple governments of conducting disruptive campaigns against industrial and government targets, including a 2016 attack on Ukrainian power grids as well as the landmark NotPetya outbreak, which was attributed by multiple governments to Russia. The emphasis on Western energy and related industries in this campaign is in keeping with those previous aims, even if the most recent activity prioritizes persistence and access over immediate disruption.
What customers and Amazon should do to reduce this risk
Amazon says it took down attacker-controlled resources in the cloud, rotated credentials, and notified impacted users directly. But the company’s guidance underlines that robust defense has to begin at the edge. Businesses should:
- Catalog and lock down all devices that connect to the internet
- Turn off public-facing management interfaces
- Rely on strong authentication
- Keep firmware and software up to date
It is important to enable full-stack telemetry on AWS:
- CloudTrail — API activity logging
- GuardDuty — threat detection
- VPC Flow Logs — network visibility
- Security Hub and AWS Config — continuous compliance
Additional best practices include:
- Least-privilege IAM
- Hardware security keys for MFA
- Short-lived credentials
- Tight segmentation between cloud accounts and environments to minimize blast radius
Amazon suggests infrastructure operators maintain comprehensive logs of network devices, including changes made to them; monitor for evidence of external exposure; and respond with an “algorithmic playbook” covering revocation of identity, rotation of keys or certificates, and known-good rebuilds, as appropriate. Tabletop exercises emulating cloud-plus-edge attack chains can help verify controls under stress.
The bigger picture for cloud security and shared responsibility
Anticipate continued focus from national cybersecurity agencies (such as CISA, the UK’s NCSC, and ENISA) issuing advisory guidance relating to state-aligned threats to cloud-dependent infrastructure. At this stage in the campaign timeline, we believe it is likely that more victim notifications and indicators of compromise (IOCs) will be uncovered as researchers and incident responders continue to rustle loose attacker infrastructure.
The lesson is stark: If cloud providers continue to ratchet up security, adversaries will keep entering through an unintended gap — a side door left ajar due to misconfiguration. Ensuring identity, defining the perimeter, and instrumenting for visibility across hybrid environments are table stakes today — for energy operators and any enterprise operating on AWS.
