Russian Hackers Attacking Network Edge Devices in Western Critical Infrastructure
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A Russian state-sponsored hacking group has been targeting network edge devices in Western critical infrastructure since 2021, with operations intensifying throughout 2025.<\/p>\n
The campaign, linked to Russia\u2019s Main Intelligence Directorate (GRU) and the notorious Sandworm group<\/a>, represents a major shift in tactics.<\/p>\n Instead of focusing on exploiting zero-day vulnerabilities, the hackers now target misconfigured customer network devices<\/a> with exposed management interfaces.<\/p>\n This approach yields the same outcomes\u2014persistent access and credential theft\u2014while making detection much more difficult.<\/p>\n The attackers specifically focus on energy sector organizations across North America and Europe, along with critical infrastructure providers.<\/p>\n They compromise enterprise routers, VPN gateways, and network management devices hosted on cloud platforms.<\/p>\n By targeting these devices, hackers position themselves to intercept user credentials transmitted over network traffic, which they subsequently use to access victim organizations\u2019 online services and internal systems.<\/p>\n AWS analysts identified<\/a> this campaign through their threat intelligence telemetry, observing coordinated attacks against customer network edge devices hosted on Amazon Web Services.<\/p>\n The compromises occurred not because of AWS security flaws, but due to customer misconfigurations that left management interfaces exposed to the internet.<\/p>\n Network analysis revealed persistent connections from attacker-controlled IP addresses to compromised EC2 instances running network appliance software, indicating interactive access and ongoing data collection.<\/p>\n The campaign timeline shows a clear evolution. Between 2021 and 2022, attackers exploited WatchGuard devices using CVE-2022-26318. In 2022-2023, they targeted Confluence platforms through CVE-2021-26084 and CVE-2023-22518.<\/p>\n By 2024, Veeam exploitation via CVE-2023-27532 had become prevalent. Throughout 2025, the hackers maintained sustained focus on misconfigured devices while reducing their investment in vulnerability exploitation, demonstrating a strategic shift toward easier targets.<\/p>\n The attackers use packet capture capabilities to harvest credentials from compromised network devices.<\/p>\n Once they gain access to a network edge device, they intercept authentication traffic passing through it.<\/p>\n The time gap between device compromise and credential replay attempts suggests passive collection rather than active theft.<\/p>\n The hackers capture victim organization credentials\u2014not just device passwords\u2014as users authenticate to various services through the compromised infrastructure.<\/p>\n After collecting credentials, the attackers systematically replay them against victim organizations\u2019 online services, including collaboration platforms, source code repositories, and cloud management<\/a> consoles.<\/p>\n AWS researchers repeatedly observed this pattern: device compromise, followed by authentication attempts using stolen credentials against the victim\u2019s cloud services and enterprise applications.<\/p>\n The attackers established connections to authentication<\/a> endpoints across multiple sectors, including electric utilities, energy providers, managed security providers, and telecommunications companies spanning North America, Europe, and the Middle East.<\/p>\n The WatchGuard exploitation demonstrated the attackers\u2019 technical approach. The captured exploit payload shows how they encrypted stolen configuration files using the Fernet encryption library, exfiltrated them via TFTP to compromised staging servers, and removed evidence by deleting temporary files.<\/p>\n This methodology reveals careful attention to operational security and anti-forensics.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Russian Hackers Attacking Network Edge Devices in Western Critical Infrastructure<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCredential Harvesting and Replay Operations<\/strong><\/h2>\n