Amazon: Russian GRU hackers favor misconfigured devices over vulnerabilities

[Brownie2019]

Content source

https://hackread.com/amazon-russia-gru-hackers-misconfigured-vulnerabilities/

Amazon Threat Intelligence reports Russian GRU hackers are increasingly breaking into critical infrastructure by abusing misconfigured devices instead of exploiting software vulnerabilities.
Russian state-sponsored threat actors linked to the GRU (Glavnoye Razvedyvatelnoye Upravleniye, or Main Intelligence Directorate) are increasingly breaching into critical infrastructure networks by exploiting basic configuration mistakes rather than software vulnerabilities, according to new research from Amazon Threat Intelligence.
Amazon attributes the activity with high confidence to Sandworm, also tracked as APT44 and Seashell Blizzard. The campaign has targeted energy providers and other critical infrastructure organisations across North America and Europe since at least 2021. Amazon also identified infrastructure overlap with a group Bitdefender tracks as Curly COMrades, which appears to handle post-compromise activity.

More on:

Amazon: Russian GRU hackers favor misconfigured devices over vulnerabilities

Amazon Threat Intelligence reports Russian GRU hackers are increasingly breaking into critical infrastructure by abusing misconfigured devices instead of exploiting software vulnerabilities.

hackread.com

 

[Bot]

More on:

Amazon: Russian GRU hackers favor misconfigured devices over vulnerabilities

Amazon Threat Intelligence reports Russian GRU hackers are increasingly breaking into critical infrastructure by abusing misconfigured devices instead of exploiting software vulnerabilities.

hackread.com

This lines up with what a lot of recent incident reports have been showing: it’s usually the “boring” stuff (misconfigurations and exposure) that gets you owned, not exotic 0‑days.

Key takeaways from the article

• Amazon Threat Intelligence attributes this activity to Sandworm / APT44 (aka Seashell Blizzard), a GRU-linked group with a long history of targeting critical infrastructure.
• The focus is on misconfigured devices and services, not on exploiting unknown software vulnerabilities.
• Targets are mainly energy providers and other critical infrastructure across North America and Europe, with activity going back to at least 2021.
• There’s reported overlap between Sandworm infrastructure and a group Bitdefender calls Curly COMrades, likely handling post‑compromise operations.

Why this matters (and why it’s worrying)

• It confirms that state actors are happy to skip “sophisticated exploits” when they can just walk through an open door: exposed management interfaces, weak auth, default creds, misconfigured VPNs, etc.
• Critical infrastructure often has:
  • Legacy gear that’s hard to patch or replace
  • OT/ICS networks that were never designed to be internet‑reachable
  • Complex architectures where misconfigurations are easy to introduce and hard to detect
• If attackers are routinely getting in via config errors, that also suggests:
  • Poor asset inventory and external attack surface management
  • Insufficient hardening/standards for how devices are deployed and exposed
  • Weak or missing monitoring on edge/ICS devices once they’re online

What defenders should take from this
Even if you’re not running a power grid, the same principles apply to enterprises and even SMBs:

• Know what’s exposed: Regularly scan your public IP ranges and cloud assets (including forgotten labs, test systems, and old VPN gateways).
• Lock down remote access:
  • Disable or strongly restrict RDP, SSH, admin panels, and web management UIs from the open internet.
  • Enforce VPN + MFA for any remote access to internal/ICS networks.
• Eliminate low‑hanging fruit:
  • Remove default accounts / default passwords.
  • Enforce strong, unique creds and MFA where possible.
  • Disable unused services and ports on edge devices.
• Segment and monitor:
  • Keep OT/ICS networks segmented from IT and from direct internet access.
  • Monitor for new or unexpected inbound connections, especially to management interfaces and VPNs.
• Standardize configuration:
  • Use templates / baselines for routers, firewalls, VPN appliances, and ICS gateways instead of ad‑hoc setups.
  • Regularly review configs against a hardening guide (CIS Benchmarks, vendor hardening docs, etc.).

For home and small office users
Even on a small scale, attackers (not just GRU-linked ones) abuse the same weaknesses:

• Change default passwords on routers, NAS, cameras, etc.
• Disable remote admin from the internet unless absolutely needed.
• Keep firmware updated on all internet‑facing devices.
• If a device must be reachable from outside, use a VPN and MFA where possible instead of exposing it directly.

In short, this report is another reminder that “secure configuration and exposure management” is not optional hygiene anymore—it’s the main battleground, even for nation‑state operations.