Connecting the dots: A sustained cyber campaign targeting customer devices hosted on Amazon Web Services infrastructure in Western countries has been traced to Sandworm, a hacking group tied to Russia's GRU military intelligence agency, according to findings published by Amazon's threat intelligence team. The five-year operation represents a prolonged state-sponsored effort targeting cloud-connected infrastructure.
CJ Moses, Amazon's chief information security officer, confirmed the discovery in a December 15 analysis, describing the campaign as "a significant evolution in critical infrastructure targeting." Moses, who previously served as technical lead for computer and network intrusion analysis at the FBI's Cyber Division, said the attackers had "taken a tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector."
The incident represents a shift in how Russian-sponsored hackers approach intrusions. Rather than relying on software vulnerabilities, the attackers sought out customer-managed cloud-connected devices left exposed through incorrect configuration – a problem that continues to plague even experienced IT teams.
After gaining a foothold, the hackers were able to conduct credential harvesting and lateral movement across the victim organizations' services and infrastructure.
The exploited systems were not necessarily unpatched or outdated. The attackers identified edge devices, such as routing equipment, gateways, and network appliances, which customers inadvertently misconfigured. These devices, which often sit between internal enterprise networks and external cloud environments, became entry points that required no zero-day exploits or advanced malware at the outset.
The Sandworm-linked actors were observed repeatedly targeting such infrastructure over multiple years, with activity dating back to at least 2021. According to Amazon's analysis, their focus has been on global infrastructure targets, with a particular emphasis on the Western energy sector, notably in North America and Europe.
Security experts say this method allows attackers to remain below detection thresholds by using legitimate network connections and credentials rather than visibly exploiting known vulnerabilities. Amazon's warning serves as a reminder that enforced configuration standards – and not just regular patching – remain vital for organizations that rely on cloud and hybrid environments for critical workloads.
Separately, Amazon has disclosed that it has identified attempts by North Korean operators to conduct large-scale cyber operations, according to comments from Amazon Chief Security Officer Steve Schmidt.
Correction (Dec 20): This article has been revised to clarify that the cyber campaign described by Amazon targeted misconfigured, customer-managed network edge devices hosted on AWS, not Amazon Web Services infrastructure itself. The updates also reflect Amazon's characterization of the activity as sustained targeting observed between 2021 and 2025, rather than continuous access, and correct attribution regarding a separate disclosure on North Korean cyber operations.
Russian hackers exploited misconfigured customer devices hosted on AWS for years, Amazon says
