Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure

Amazon Threat Intelligence reports a sustained 2021–2025 GRU-linked campaign (associated with Sandworm/Curly COMrades) that shifted from CVE exploitation to compromising misconfigured customer network edge devices—often hosted on AWS—to perform packet capture, credential harvesting, and credential replay against energy and other critical infrastructure targets; the report includes timelines, exploited CVEs, IOCs, a captured exfiltration payload, and recommended mitigations.