Inside the Kremlin’s Cloud: How Russian Hackers Quietly Raided Western Energy Networks

When most people think of cyber warfare, they picture dramatic zero-day exploits or flashy ransomware attacks. But as Amazon’s threat intelligence team has revealed, some of the most dangerous state-backed operations are far more subtle - and much harder to stop. For years, a Russian military cyber unit quietly infiltrated the backbone of Western energy and cloud infrastructure, using a blend of cunning, patience, and opportunism that left even the most advanced defenses exposed.

Fast Facts

• Russian GRU-linked hackers (APT44, aka Sandworm) targeted Western energy and cloud services from 2021–2025.
• Attackers exploited misconfigured network edge devices more than classic software vulnerabilities.
• Credential harvesting and replay attacks aimed to breach deeper into critical infrastructure.
• Amazon traced persistent, interactive access to compromised cloud-hosted devices.
• Victims included energy, cloud, and telecom providers across North America, Europe, and the Middle East.

How the GRU Slipped Past the Gates

The campaign, which Amazon attributes to the notorious Russian APT44 group (also known as Sandworm or FROZENBARENTS), marks a chilling evolution in cyber espionage. Rather than relying on headline-grabbing zero-days, the attackers focused on finding and exploiting misconfigured network edge devices - think enterprise routers, VPN gateways, and remote access appliances. Over the years, their tactics shifted away from burning new vulnerabilities and towards quietly hijacking devices that were left exposed by their owners’ oversight.

Between 2021 and 2025, the group cycled through a handful of high-profile vulnerabilities - such as flaws in WatchGuard Firebox, Atlassian Confluence, and Veeam software - but their bread and butter was the exploitation of poorly secured edge devices, often hosted on Amazon’s own cloud infrastructure. Once inside, the hackers used built-in packet capture tools to siphon off sensitive credentials from network traffic, then replayed those credentials to move laterally into more valuable systems.

Amazon’s telemetry showed attacker-controlled IPs establishing persistent, interactive connections to compromised cloud instances. The evidence points to a campaign designed for stealth and scale: rather than smash-and-grab, the GRU methodically harvested credentials and waited for the perfect moment to strike deeper into victim networks. Their targets were not just energy companies, but also the third-party service providers and cloud platforms that underpin the entire sector’s digital supply chain.

Interestingly, Amazon’s investigation found overlaps with another Russian-aligned cluster, hinting at a sophisticated division of labor - one team specializing in network access, another in maintaining persistence and evading detection. This mirrors Russia’s broader cyber playbook, where specialized subgroups collaborate under the radar to pursue strategic objectives.

What’s Next for Defenders?

Amazon has already notified affected customers and disrupted some active operations, but the warnings are clear: organizations must audit their network edge devices for unauthorized packet capture tools, enforce strong authentication, and monitor for credential replay attempts from unusual locations. As cyber adversaries adapt, defenders must be just as nimble - because in this quiet war at the network edge, even a single misconfiguration can open the door to disaster.

WIKICROOK

• GRU: The GRU is Russia’s military intelligence agency, known for sponsoring hacking groups that target foreign governments and organizations worldwide.
• Network Edge Device: A network edge device connects internal networks to external systems, managing data flow and security at the boundary between trusted and untrusted networks.
• Credential Harvesting: Credential harvesting is the theft of login details, such as usernames and passwords, often through fake websites or deceptive emails.
• Packet Capture: Packet capture records data packets on a network, aiding in security analysis and troubleshooting, but can also be used by attackers to intercept sensitive information.
• Credential Replay Attack: A credential replay attack involves using stolen login credentials to gain unauthorized access to systems, often exploiting password reuse and weak authentication.