Russian GRU critical infrastructure edge-device targeting campaign
Campaign
Summary
Hide ▲
Show ▼
A Russian GRU-linked campaign targeted Western critical infrastructure and shifted in 2025 from exploiting vulnerabilities in products such as WatchGuard, Confluence, and Veeam to targeting misconfigured customer network edge devices, including some hosted on AWS. The activity was associated with initial access, credential harvesting, persistent access, and lateral movement inside victim environments. Reporting tied the campaign to GRU-linked activity including Sandworm/APT44/Seashell Blizzard and overlaps with Curly COM rades. The campaign appears to have remained active across 2021-2025, with emphasis on critical infrastructure organizations, especially in the energy sector.
Related Happenings
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
Vulnerability
First: 21.05.2026 00:19
Last: 21.05.2026 00:19
Sources 1
About this happening:
Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
VulnerabilityAbout this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation
Security Tool/Service
First: 03.03.2026 02:06
Last: 03.03.2026 02:06
Sources 1
About this happening:
**CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...
CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation
Security Tool/ServiceAbout this happening: **CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...
FortiGate exposed management interface exploitation wave
Exploitation Wave
First: 21.02.2026 16:49
Last: 21.02.2026 16:49
Sources 1
About this happening:
**FortiGate** management interfaces were hit by an **automated exploitation wave** that abused **internet-exposed ports** and **commonly reused credentials** to compromise **600+...
FortiGate exposed management interface exploitation wave
Exploitation WaveAbout this happening: **FortiGate** management interfaces were hit by an **automated exploitation wave** that abused **internet-exposed ports** and **commonly reused credentials** to compromise **600+...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
AWS EC2 and ECS cryptomining campaign using compromised IAM credentials
Campaign
First: 17.12.2025 23:48
Last: 17.12.2025 23:48
Sources 1
About this happening:
An **ongoing crypto-mining campaign** is abusing **compromised IAM credentials** to mine on **AWS EC2** and **ECS**, draining customer compute and slowing response. The operation...
AWS EC2 and ECS cryptomining campaign using compromised IAM credentials
CampaignAbout this happening: An **ongoing crypto-mining campaign** is abusing **compromised IAM credentials** to mine on **AWS EC2** and **ECS**, draining customer compute and slowing response. The operation...
Timeline
-
16.12.2025 22:13 2 articles · 5mo ago
Russian GRU misconfigured edge-device campaign targeting Western critical infrastructure
Initial DisclosureThe operation initially relied on **WatchGuard**, **Confluence**, and **Veeam** vulnerabilities for initial access, combining zero-days and known flaws. That foothold phase later gave way to targeting **misconfigured edge devices** with exposed management interfaces.
Show sources
- Amazon disrupts Russian GRU hackers attacking edge network devices — www.bleepingcomputer.com — 16.12.2025 22:13
- Amazon disrupts Russian GRU hackers attacking edge network devices — www.bleepingcomputer.com — 16.12.2025 22:13
-
15.12.2025 02:00 2 articles · 5mo ago
Amazon updates Russian GRU-linked campaign targeting Western critical infrastructure
Campaign Scope UpdateAmazon Threat Intelligence said a Russian GRU-linked campaign against Western critical infrastructure shifted in 2025 from exploiting vulnerabilities in WatchGuard, Confluence, and Veeam to targeting misconfigured customer network edge devices, including some hosted on Amazon Web Services (AWS), to gain initial access, harvest credentials, maintain persistent access, and move laterally inside victim organizations. Amazon also said the attribution rests on infrastructure overlaps with GRU-linked activity, including Sandworm, APT44, Seashell Blizzard, and overlaps with Curly COMrades.
Show sources
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15