APT44 years-long Russian campaign targeting Western critical infrastructure
Campaign
Summary
Hide ▲
Show ▼
A years-long Russian campaign by APT44 targeted Western critical infrastructure from 2021 to 2025, increasing the risk of credential theft and downstream network compromise across energy and other critical sectors. The operation relied on misconfigured edge devices and exposed management interfaces for initial access. It affected organizations across North America, Europe, and the Middle East and used repeated credential-harvesting and replay tradecraft. The activity was disrupted and affected customers were notified.
Related Happenings
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
CampaignAbout this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
Polish power grid hit by network compromise
Incident
First: 28.01.2026 18:06
Last: 28.01.2026 18:06
Sources 1
About this happening:
Dragos disclosed a late-December cyberattack on the Polish power grid that disrupted OT communication and control at distributed generation sites. The intrusion affected combined...
Polish power grid hit by network compromise
IncidentAbout this happening: Dragos disclosed a late-December cyberattack on the Polish power grid that disrupted OT communication and control at distributed generation sites. The intrusion affected combined...
Latest development: 29.01.2026 00:14
Dragos says a coordinated cyberattack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. The activity compromised OT systems, damaged key equipment beyond repair, disabled communications equipment at multiple sites, wiped Windows systems, and left power generation uninterrupted while affecting at least 12 confirmed sites, with Dragos estimating about 30. Dragos attributes the activity with moderate confidence to the Russian threat actor Electrum and describes it as distinct from Sandworm (APT44).
AWS EC2 and ECS cryptomining campaign using compromised IAM credentials
Campaign
First: 17.12.2025 23:48
Last: 17.12.2025 23:48
Sources 1
About this happening:
An **ongoing crypto-mining campaign** is abusing **compromised IAM credentials** to mine on **AWS EC2** and **ECS**, draining customer compute and slowing response. The operation...
AWS EC2 and ECS cryptomining campaign using compromised IAM credentials
CampaignAbout this happening: An **ongoing crypto-mining campaign** is abusing **compromised IAM credentials** to mine on **AWS EC2** and **ECS**, draining customer compute and slowing response. The operation...
Sandworm misconfigured-network-edge-device campaign targeting critical infrastructure
Campaign
First: 16.12.2025 15:22
Last: 16.12.2025 15:22
Sources 1
About this happening:
A **Sandworm-linked Russian campaign** has shifted in **2025** from exploiting flaws to abusing **misconfigured network edge devices**, increasing access risk for **critical infra...
Sandworm misconfigured-network-edge-device campaign targeting critical infrastructure
CampaignAbout this happening: A **Sandworm-linked Russian campaign** has shifted in **2025** from exploiting flaws to abusing **misconfigured network edge devices**, increasing access risk for **critical infra...
Russian GRU critical infrastructure edge-device targeting campaign
Campaign
First: 16.12.2025 14:15
Last: 16.12.2025 14:15
Sources 1
About this happening:
A Russian GRU-linked campaign targeted Western critical infrastructure and shifted in 2025 from exploiting vulnerabilities in products such as WatchGuard, Confluence, and Veeam to...
Russian GRU critical infrastructure edge-device targeting campaign
CampaignAbout this happening: A Russian GRU-linked campaign targeted Western critical infrastructure and shifted in 2025 from exploiting vulnerabilities in products such as WatchGuard, Confluence, and Veeam to...
Latest development: 16.12.2025 22:13
The operation initially relied on **WatchGuard**, **Confluence**, and **Veeam** vulnerabilities for initial access, combining zero-days and known flaws. That foothold phase later gave way to targeting **misconfigured edge devices** with exposed management interfaces.
Timeline
-
16.12.2025 14:27 2 articles · 5mo ago
Initial report: APT44 years-long Russian campaign targeting Western critical infrastructure
Initial DisclosureThe operation began in **2021** with exploitation of **WatchGuard Firebox and XTM** weaknesses and targeting of **misconfigured edge devices**. Early access enabled credential harvesting and follow-on access attempts against downstream services.
Show sources
- Amazon Exposes Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure — thehackernews.com — 16.12.2025 14:27
- Amazon Exposes Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure — thehackernews.com — 16.12.2025 14:27