- AWS says Russian GRU-linked groups spent years exploiting misconfigured edge devices to persist within Western critical infrastructure
- The business overlaps with that of Curly COMrades, whose tools abuse Hyper‑V and Linux virtual machines for stealthy persistence.
- Amazon recommends urgent audits of cutting-edge equipment, credential reuse checks, and monitoring of suspicious admin portal access
For almost half a decade, Russian state-sponsored threat actors have abused network equipment misconfigurations, as well as different vulnerabilities, to establish the persistence of key infrastructure organizations in the West, experts have warned.
In a new threat report (vA The register), CJ Moses, Chief Information Security Officer (CISO) at Amazon Integrated Security, highlighted the scale of the campaign, which has been going on for several years.
“The campaign demonstrates a sustained focus on Western critical infrastructure, particularly the energy sector, with operations extending from 2021 to the present,” Moses said.
Hiding in plain sight
In most cases, threat actors are targeting corporate routers, VPN concentrators, remote access gateways, and network management devices.
Although they have abused several vulnerabilities, including many zero days, they mainly focus on misconfigurations. Indeed, according to Moses, the abuse of misconfigurations leaves a significantly reduced footprint and is therefore much more difficult to spot and prevent.
Some of the targeted edge devices are hosted as virtual appliances on AWS, the report further said, adding that the company works hard to “continuously disrupt” campaigns as soon as malicious activity is spotted.
Trying to attribute the campaign to a specific threat actor has proven somewhat difficult, but AWS has reason to believe that it is a broader campaign by the General Directorate of Intelligence (GRU), with multiple groups involved.
One of the entities linked to the attacks is called Curly COMrades, a group that, among other things, hides its malware in Linux-based virtual machines deployed on Windows devices.
In November this year, Bitdefender security researchers reported that Curly COMrades was executing remote commands to enable the Microsoft-hyper-v virtualization feature and disable its management interface. Then, they used this feature to download a lightweight Alpine Linux-based virtual machine containing several malware implants.
“Looking ahead to 2026, organizations must prioritize securing their edge devices and monitoring for credential replay attacks to defend against this persistent threat,” Moses concluded.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
