Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sandworm misconfigured-network-edge-device campaign targeting critical infrastructure

Campaign
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

A Sandworm-linked Russian campaign has shifted in 2025 from exploiting flaws to abusing misconfigured network edge devices, increasing access risk for critical infrastructure organizations and other cloud-hosted environments. The operators are using packet capture to steal credentials and then stage replay attacks and lateral movement. Earlier phases relied more heavily on zero-day and n-day exploitation. The campaign was disrupted and victims were notified.

Related Happenings

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

FamousSparrow Azerbaijanian oil-and-gas targeting campaign

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...

Open Happening

Industrial ransomware targeting surged in 2025 across OT-linked environments

Target Trend
First: 17.02.2026 14:50 Last: 17.02.2026 14:50 Sources 1

About this happening: **Industrial organizations** saw a sharp rise in **ransomware targeting in 2025**, increasing the risk of **OT disruption** across critical sectors. The trend matters because atta...

Open Happening

AWS EC2 and ECS cryptomining campaign using compromised IAM credentials

Campaign
First: 17.12.2025 23:48 Last: 17.12.2025 23:48 Sources 1

About this happening: An **ongoing crypto-mining campaign** is abusing **compromised IAM credentials** to mine on **AWS EC2** and **ECS**, draining customer compute and slowing response. The operation...

Open Happening

APT44 years-long Russian campaign targeting Western critical infrastructure

Campaign
First: 16.12.2025 14:27 Last: 16.12.2025 14:27 Sources 1

About this happening: A **years-long** Russian campaign by **APT44** targeted **Western critical infrastructure** from **2021 to 2025**, increasing the risk of credential theft and downstream network c...

Open Happening

Timeline

  1. 16.12.2025 15:22 2 articles · 5mo ago

    Sandworm-linked Russian campaign shifts to misconfigured edge devices

    Initial Disclosure

    Amazon’s threat intelligence team says Sandworm-linked Russian state-sponsored actors shifted in 2025 from exploiting zero-day and n-day vulnerabilities, including CVE-2022-26318, CVE-2021-26084, CVE-2023-22518, and CVE-2023-27532, to targeting misconfigured network edge devices at critical infrastructure and other cloud-hosted organizations; the operators used native packet-capture capabilities to steal credentials, then replay attacks and lateral movement, and Amazon says it disrupted the campaign and notified victims.

    Show sources
    Open in new tab