Russian threat actors are targeting customers’ network edge devices hosted on AWS infrastructure. Here’s what AWS customers need to know.
Amazon has confirmed that Russian state-sponsored cyberattacks targeted misconfigured network edge devices hosted on AWS infrastructure throughout 2025 as part of a “yearslong” campaign.
Amazon’s Threat Intelligence unit said the Russian threat actor group known as Sandworm—which is associated with Russia’s GRU military intelligence agency—spent 2025 targeting network edge devices on AWS with a focus on the energy sector and businesses with cloud-hosted network infrastructure.
The Russian hackers are focusing their cybersecurity attacks on AWS environments in “what appear to be misconfigured customer network edge devices [which] became the primary initial access vector,” said Amazon’s security leader, CJ Moses, in a recent security report.
“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” said Moses, CISO of Amazon Integrated Security.
[Related: How Amazon Is Finding Big Security Benefits From Showing Up To The Office]
Amazon said the attacks are not due to a weakness in AWS technology but appear to be customers that have misconfigured edge devices.
“Going into 2026, organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat,” Moses said.
The Seattle-based cloud giant operates hundreds of data centers across the globe that host critical infrastructure for its large customer base.
AWS, Google and Microsoft—combined—currently own more than half of all hyperscale data center capacity on a global basis.
Russian Attacks Have Been Ongoing For Five Years
Moses also shed light on how Russia’s Sandworm hackers have focused on attacking critical infrastructure, particularly the energy sector, with cyberattack operations spanning from 2021 to present day.
For example, in 2021 and 2022, the Russian cyberattacks conducted campaigns around a WatchGuard exploitation, targeting misconfigured devices.
In 2024, Amazon said the Russian threat actors targeted a Veeam exploitation with continued misconfigured devices targeted.
Then in 2025, Sandworm began targeting misconfigured customer network edge devices.
“Targeting the ‘low-hanging fruit’ of likely misconfigured customer devices with exposed management interfaces achieves the same strategic objectives, which is persistent access to critical infrastructure networks and credential harvesting for accessing victim organizations’ online services,” said Moses.
“The threat actor’s shift in operational tempo represents a concerning evolution: while customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,” he added.
Russian Hackers’ Primary Targets And Targeted Resources
Over the past several years, the Russian attackers have targeted three key areas, including the energy sector business across Western nations.
The other two targets were critical infrastructure providers in North America and Europe as well as organizations with cloud-hosted network infrastructure.
Some of the commonly targeted resources were enterprise routers, VPN concentrators, remote access gateways, network management appliances and cloud-based project management systems.
No AWS Patch Needed
Although AWS released its findings on the Russian state-sponsored hackers, Amazon confirmed that there are not any exploits AWS customers need to patch.
Amazon said it has notified affected customers, but there isn’t any AWS patch as the hackers are weaponizing misconfigured devices on the end of AWS’ customers.
“This was not due to a weakness in AWS; these appear to be customer misconfigured devices,” said Moses. “Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software.”
Moses said since the discovery of Sandworm’s activity, Amazon has disrupted active threat actor operations and reduced the attack surface available to this threat activity subcluster.
“We will continue working with the security community to share intelligence and collectively defend against state-sponsored threats targeting critical infrastructure,” he said.
