Amazon Threat Intelligence on Dec. 15 reported on a years-long Russian state-sponsored campaign that targeted the energy sector and critical infrastructure in North America and Western Europe by focusing on cloud misconfigurations versus exploiting zero-day software vulnerabilities.The Amazon study pointed out that the threat actor maintained the same operational outcomes: credential harvesting, and lateral movement into victim infrastructure, while reducing its exposure and resources costs.Commonly targeted tech infrastructure included enterprise routers and routing infrastructure, VPNs and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.Based on overlaps with known Sandworm operations observed in Amazon’s telemetry, the Amazon researchers assessed that the campaign was the work of the Russian Main Intelligence Directorate, known as the GRU.Here’s how it all unfolded from 2021-2025:Chrissa Constantine, senior cybersecurity solution architect at Black Duck, said we’re now seeing a notable shift in tactics among Russian state-sponsored cyber threat groups as misconfigurations are increasingly favored over complex zero-day exploits as an initial access vector.Constantine said this trend was driven by practicality because misconfigured network edge devices, exposed management interfaces, and overly-permissive identities offer low-cost, reliable entry points that can remain undetected for extended periods.“This approach reflects a strategic emphasis on operational efficiency, stealth, and persistence rather than rapid exploitation or monetization,” said Constantine. “Rather than signaling diminished capability, the move away from zero-day exploits toward exploiting weak configurations and credentials in VPNs, routers, and cloud or hybrid environments is deliberate. Misconfiguration abuse blends seamlessly with legitimate administrative activity, making detection and attribution significantly more challenging.”Aaron Beardslee, manager of threat research at Securonix, said this shift to cloud misconfigurations isn’t a failure of security programs: it's evidence they're working. Defenders made the traditional exploitation model too expensive and too risky, so attackers adapted, said Beardslee.Unfortunately, configuration security has been treated as operational housekeeping instead of a critical security control, said Beardslee — and that needs to change immediately.“Organizations need to elevate configuration management to the same priority as vulnerability management, implement continuous compliance monitoring for network edge devices, eliminate internet exposure of management interfaces entirely, enforce MFA and eliminate default credentials everywhere, and deploy CSPM tools in cloud environments to catch misconfigurations before attackers do.”Michael Bell, chief executive officer at Suzu Labs, said the trend shows that attackers are doing a cost-benefit analysis and realizing they don't need expensive zero-days when misconfigured devices get them the same access with less risk. Bell said zero-days take resources to develop and get burned once they're used. Misconfigured routers and VPN concentrators with exposed management interfaces are everywhere and not enough teams patch the configuration, said Bell.“Security teams need to stop treating configuration management as a compliance checkbox and start treating it as an active attack surface,” said Bell. “The Amazon research shows Sandworm using these misconfigs to intercept credentials in transit, then replaying those credentials against cloud services. That means one exposed router management interface can compromise an organization’s entire cloud footprint.”Jason Fruge, CISO-in-residence at XM Cyber, added that Russian state-sponsored actors shifting their focus toward exploiting identity and configuration weaknesses in critical infrastructure underscores a significant gap in conventional defense strategies.Fruge said cybersecurity leaders can no longer concentrate solely on software vulnerabilities. Instead, he said vulnerability and threat management programs must expand to address identity, configuration and interconnected exposures that adversaries can exploit to create complex attack paths.“Staying ahead of these tactics requires organizations to adopt a proactive, comprehensive approach to threat hunting, using all exposure types to identify and remediate gaps before they become weaponized,” said Fruge.
- 2021-2022: WatchGuard exploitation (CVE-2022-26318) detected by Amazon MadPot; misconfigured device targeting observed.
- 2022-2023: Confluence vulnerability exploitation (CVE-2021-26084, CVE-2023-22518); continued misconfigured device targeting.
- 2024: Veeam exploitation (CVE-2023-27532); continued misconfigured device targeting.
- 2025: Sustained targeting of misconfigured customer network edge devices; decline in N-day/zero-day exploitation activity.
