Russian GRU Shifts Tactics to Target Misconfigured Edge Devices in Western Critical Infrastructure
Summary
Hide ▲
Show ▼
A Russian state-sponsored threat actor, attributed to the GRU, has shifted its tactics from exploiting vulnerabilities to targeting misconfigured customer network edge devices. The campaign, active since 2021, primarily targets energy sector organizations and critical infrastructure providers in Western nations. The shift in tactics allows the group to maintain persistent access, harvest credentials, and move laterally within victim networks while reducing exposure and resource expenditure.
Timeline
-
16.12.2025 14:15 1 articles · 5h ago
GRU-Linked Threat Actor Shifts to Misconfigured Edge Device Targeting in 2025
In 2025, a Russian GRU-linked threat actor shifted its tactics from exploiting vulnerabilities to targeting misconfigured customer network edge devices. This shift enables persistent access, credential harvesting, and lateral movement while reducing the actor's exposure and resource expenditure. The campaign is part of a broader GRU operation, with infrastructure overlaps indicating specialized subclusters supporting broader campaign objectives.
Show sources
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15
Information Snippets
-
The threat actor has been targeting global infrastructure organizations since 2021, focusing on energy sector and critical infrastructure providers in North America and Europe.
First reported: 16.12.2025 14:151 source, 1 articleShow sources
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15
-
Previous campaigns exploited vulnerabilities in WatchGuard, Confluence, and Veeam.
First reported: 16.12.2025 14:151 source, 1 articleShow sources
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15
-
In 2025, the group shifted to targeting misconfigured edge devices, including those hosted on AWS.
First reported: 16.12.2025 14:151 source, 1 articleShow sources
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15
-
The misconfigurations are on the customer side, not the AWS cloud infrastructure.
First reported: 16.12.2025 14:151 source, 1 articleShow sources
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15
-
The group harvests credentials from compromised infrastructure to launch replay attacks.
First reported: 16.12.2025 14:151 source, 1 articleShow sources
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15
-
The attribution to the GRU is based on infrastructure overlaps with previous operations linked to Sandworm (APT44, Seashell Blizzard) and Bitdefender's Curly COMrades.
First reported: 16.12.2025 14:151 source, 1 articleShow sources
- Amazon Warns Russian GRU Hackers Target Western Firms via Edge Devices — www.infosecurity-magazine.com — 16.12.2025 14:15