Amazon confirms prolonged Russian cyber campaign against AWS users
 |
| Amazon Web Services has been under attack for half a decade by Russian state actors. Credit: Ismail Kaplan/Anadolu via Getty Images |
Amazon Web Services (AWS), Amazon's cloud web hosting platform which provides online services to millions of customers, has confirmed that Russian state actors have been attacking misconfigured customer edge devices for the past five years, according to a new update from the company.
Earlier this week, Amazon Threat Intelligence shared an update on the AWS website that detailed the years-long attack by a Russian cyber threat group. Amazon's team dissected the attack and discovered a link to a threat actor known as Sandworm, which is associated with Russia’s GRU military intelligence agency.
Amazon’s telemetry reveals coordinated operations against customer network edge devices hosted on AWS. This was not due to a weakness in AWS, according to Amazon, but appear to be customer misconfigured devices.
"The campaign demonstrates sustained focus on Western critical infrastructure, particularly the energy sector, with operations spanning 2021 through the present day," CJ Moses of Amazon Threat Intelligence said in the post.
SEE ALSO:Amazon is throwing one more sale to close out the year — save during the Super Saturday sale
According to Amazon, the attack focused on "energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and organizations with cloud-hosted network infrastructure." Amazon says the campaign targeted "'low-hanging fruit' of likely misconfigured customer devices," which likely enabled the attacks to continue on for so long.
Moses says that this attack "represents a significant evolution in critical infrastructure targeting" and calls it a "tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined."
Moses says that this attack "represents a significant evolution in critical infrastructure targeting" and calls it a "tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined."
Basically, according to Amazon, there isn't any AWS exploit to patch as bad actors are weaponizing misconfigured devices on the end of AWS' customers. Amazon says it has notified affected customers. Going into the new year, Amazon is urging its customers to monitor and audit network devices and remain vigilant as attacks are ongoing.
UPDATE: Dec. 19, 2025, 5:54 p.m. EST This post has been updated throughout to make it clear that AWS was not a victim in this attack and the coordinated operation did not occur due to a weakness in AWS. It appears to be customer misconfigured devices.
Topics Amazon Cybersecurity
Amazon? These the same guys that accidentally hired a North Korean programmer into their remote IT team?
ReplyDeleteThat's ok, they are president Trump's friends !!
ReplyDeleteIn any sane society the number of cyber attacks from Russian sources would be considered acts of war. How is this any different from hiring privateers to seize merchant ships?
ReplyDeleteThey must’ve not respected Russia
ReplyDelete
ReplyDeleteWithout wanting to Dox myself, I've been in positions in several large organisations where I get visibility of regular cyber security reporting.
Every company. EVERY company I've had this visibility of has weekly attacks from "state actors", which is code for Chinese, Russian, often Iranian, and less frequently North Korean, hackers.
It's an enormous industry in those countries. Make no mistake, they are probing and prodding the infrastructure, financial, defence, emergency, and energy networks of Western countries pretty much full-time.
It's staggering when I realised the scale and effort they were putting into it.
What the presidents buddy, say it ain’t soooo!
ReplyDeletefor some reason it's always some country that the government would like to destroy.
ReplyDeleteHonestly, if they had a bunch of bots just spamming ai infrastructure, wouldn’t that be an incredible energy problem in the US?
ReplyDeleteThey did launch a 6 Tbps DDOS with Lambda in us-west-1 during the 2018 Super Bowl.
ReplyDeleteAnd who had the multiple cel phone chaos banks all over New York a few months back?
DeleteHegseth said they stopped attacking us tho?!
ReplyDelete"Hegseth said..." LOL. Anything he says....not worth spit.
DeleteThe world has basically become a shitty bond movie at this point. We know who all the villains are too, we just don’t care. I know people are concerned about nuclear war etc.. but mark my words, if we ever go to war with Russia or China, the power will be out within 45 minutes and it’ll just be some dude waiting to hit enter on their keyboard.
ReplyDeleteThis has become especially apparent because everyone including governments seems to think it’s a great idea that they all use the exact same services (Cloudflare etc) that all depend on the exact same infrastructure (Amazon, Microsoft, Oracle etc).
We are so dumb at this point that we are replacing farmland with ai data centers. I can’t eat your stupid fucking pseudoscience paper AI bros..
We’re heading towards Interstellar (and not the fun parts).. the line I think about often in particular is, “We didn’t run out of flat screen TVs we ran out of food”. I remember being a kid and having a big screen TV was absolutely insane to have due to price, and moving them also required Brian Shaw to come to your house and help. Now you can get a 65 inch TV or a weeks worth of food (for now) lol
That’s so fucking crazy to me when I really stop and think about where we are today. I’m 37… and the world has changed so much already in my lifetime.
Did the Russians originally claim they’d take Amazon down in 3 days?
ReplyDeleteGuess they can blame their crappy service on this.
ReplyDeleteDid it improve their service?
ReplyDeleteRussia is at war with the West. It's time we realize this.
ReplyDeleteIt's because Putin has no dick. The man is totally smooth down there and it has driven him insane.
DeleteEpstein’s was “like a mutant lemon”
DeleteRussia has been at war with the United States for a while now. Putting Trump in office was part of their warfare to destroy America from within
ReplyDeleteYeah, ever since 2014 when the US first got those crippling sanctions put on Russia because Russia invaded and annexed the Crimean Peninsula.
DeleteI was going to say, 5? Pretty sure Trump announced candidacy in 2015.
Delete
ReplyDeleteInteresting test... put something like a Raspberry Pi's ssh port on the internet and monitor the logs. around 50% to 75% of the IPs trying to connect to it will be Russian. The other major portion will be Chinese IPs.
BTW: This is why you should never expose an SSH port to the internet with password auth enabled. For safety it should always be only key authentication allowed. Even better yet, set up a VPN on a non-standard port and connect to your network via a cert based VPN before you SSH into anything.
Note: this is in response to the idea that Russia is trying to attack western infrastructure, but it's not just infrastructure, it's anything they can get their hands on. Bot nets are everywhere.
Yeah but IP source doesn’t mean anything.
DeleteIt could also mean that a lot of insecure devices are present in Russia and China and are used as bot net for whatever scope. The article says they seem to have identified a control group like sandworm, which is a different thing.
This kind of stuff is over my head a bit. I did recently try setting up Adguard on my NAS to setup DNS but then I found out about Quad9 and decided it would be easier to just set DNS to that instead. I also recently took advice from a YouTube video and setup different VLANs for different devices and made a trusted, IoT, and Guest network to further protect our network.
DeleteThis stuff is way over my head. Is there a step by step guide on how to do this?
DeleteYou'd have to take it piece by piece and Google it. There isn't anything that covers all of what I just provided, sorry. Start with SSH key based authentication and disabling password based authentication. There are tons of YouTube videos on that subject alone. Then you could research setting up a Wireguard or OpenVPN vpn.
DeleteNo worries, thanks for this I appreciate the guidance.
DeleteIm in the same boat. I know i need to start somewhere, but...haha...its a whole entire subject category.
DeleteLegit “the struggle is real”.
DeleteHmm yes I understand everything I just read. SSH ports and stuff yes…
DeleteI was working in a print shop overseeing a huge production run at 3am back in like 2015 - and all of a sudden there was an EXPLOSION of notifications on the main printer's display, each claiming a failed login attempt
DeleteIt listed the IP address that was trying to make that attempt - and I looked it up & found they were based out of China
Wasn't sure what to do so I just unplugged the network cable for the night. lol Within a few months after bringing this to the attention of the team - we'd moved to a non-public facing network infrastructure.
I also always just straight up block all IP addresses from China and Russia on every server I set up
DeleteHow you do that?
DeleteHonestly that should be the default position outside of those countries.
DeleteHow could you do that actually?
DeleteI run my servers on AWS and just use the built in region blocking features of CloudFront and ALB
DeleteAs someone ignorant of security and practices outside of using MFA, what can you recommend to enable me to do the same? I don't have a server but I'm interested in hardening my wifi and modem at home and protecting our pcs to the extent possible.
DeleteMost consumer devices have a firewall that is going to block all inbound connection attempts to the devices on your local network. There isn’t a lot of risk for these types of attacks on your personal network. Phishing or other malware attacks are what consumers should be most worried about.
DeleteI agree with you. Personal networks have little to offer but personal identifying information does.
DeleteSorry I don't know about modems, it would probably depend on the manufacturer.
DeleteAll of the servers I run are on AWS, and I just use the built-in features of CloudFront and ALB to block traffic from countries like Russia.
It's not perfect obviously, they can easily get around it with a VPN, but it cuts out a LOT of the low effort attempts
Gotcha. Thanks anyway.
DeleteThe amount of traffic I got from other IPs too though, Ukraine, Hong Kong, Netherlands…I ended up blocking all visits from the worst offenders and doing managed challenges from Cloudflare for the rest outside of the US. But a lot of requests from those IPs seemed to bypass Cloudflare entirely anyway. I can’t understand why these cybercriminals are allowed to continue and why Apache or cPanel don’t have stronger host-level methods to block what is obviously malicious snooping and scraping.
DeleteCan confirm. I performed a similar activity using RDP (3389 open) following YT tutorials from MyDFIR and Josh Madakor. Ukraine and Poland IPs lit up within an hour as confirmed by Wazuh, Sentinel and a geo location map tool. Then Singapore chimed in and said hold my b33r. In three hours splunk counted 8000 failed access attempts. I finally deleted both instances (AWS, Azure) after running over night and nearly a quarter million attempts.
DeleteOr they can just use a US VPN..
DeleteThat won't isolate the traffic to just their own network, which would be the point in this case. That kind of VPN is great if you want to prevent your ISP or public WiFi provider from seeing your traffic. It's also good if you want to mask where you're coming from when accessing public services. It's not so good to secure your own personal network from attacks.
DeleteYep, or open port 80 and just watch. The amount probing for HTTP vulns in routers, etc is insanity. But it’s important to note that a majority of the time those mass scans are from infected devices meaning the actual attacker may not be from where the IP is.
DeleteIt can be a bit misleading which is why it always requires further research.
You forget the step where you replace all the standard response codes with those from say....Windows 2003 IIS ;>
DeleteYup, infected devices that are already part of a botnet. I have over 100 attempted connections from those regions in the last 8 hours, and that's down from what it has been in the past. It's not just SSH either, but anything they think they can take advantage of, like port 80 as you mentioned. I've gotten to the point that besides the method I listed, I also block regions.
DeleteWatch over 23, 80, 8080, 8081, 37777, 53413 UDP, those are common just off the top of my head. I do malware research so I have a hobby of setting up honeypots lol
DeleteIf you haven't already, I suggest investing in a Unifi Cloud Gateway. They have a crazy amount of capabilities for someone that does what you do. Network monitoring and intrusion detections being the first two features off the top of my head that would be the most helpful.
DeleteNo need. I’ve been working on my own tools to meet niche requirements. I’m not looking for IDS tools as much because I know what specific IoCs I’m looking for and what I’m wanting to ignore.
DeleteI.e I could care less about those 1000 SSH attempts but I’m more curious on what they do with a false banner and false username and password combo. What shells are they looking for? What protections do they have? IDS won’t help me emulate what the malware is looking for and wanting as much as it will let me know it’s there.
I do appreciate the recommendation though. I would however one day like to play with a Firewalla router
I just got a UCG Fiber a couple of months ago and the amount of attempts it's logged from just geoblocking a few countries is crazy.
DeleteCertainly it's the number one thing that shows up in my blocked list.
DeleteI'm surprised at how well the intrusion detection spots network traffic that's out of sorts. I found that out just connecting to my web server via ssh. The detection was solid, even if it was a bit painful to figure out why.
It always looked like we were in a constant state of war with China because of their unique hacks—for example, if they mess things up using some mysterious rules Amazon itself created, money gets deposited into their account.
ReplyDeleteDid they get free shipping?
ReplyDeleteNot following the link, can someone copy and paste the text please?
ReplyDeleteA five-year cyberattack campaign targeting users of Amazon Web Services infrastructure in the West has been confirmed by the Amazon threat intelligence team following ongoing analysis of the threat, which is linked to the Sandworm actor and, therefore, to hackers working with Russia’s GRU military intelligence agency.
DeleteForbesCisco Secure Email Attacks: 0-Day Exploit Confirmed, No Fix Available Prolonged Russian Hack Attacks Target Devices Hosted On Amazon Infrastructure — No Unpatched Vulnerabilities Required
The Russian state-sponsored cyberattacks represent “a significant evolution in critical infrastructure targeting,” CJ Moses, previously the FBI Cyber Division’s technical lead for computer and network intrusion analysis and now chief information security officer at Amazon Integrated Security, said in a December 15 analysis. How so? Because, as Moses went on to explain, vulnerability exploitation was not an overriding factor, but rather the Russian attacks took “a tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector.”
Yep, patch all you like, but if you leave devices misconfigured, it’s like putting expensive and secure locks on the front door and leaving an upstairs window open with a ladder on hand for good measure.
Attackers, especially the most sophisticated ones, and any Russian state-sponsored advanced persistent threat group that falls into this category, will take the low-hanging fruit over vulnerability exploitation to reduce exposure any day. After all, as Moses said, “this tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure.”
According to Moses, the Russian hacking operation has been ongoing since at least 2021, targeting global infrastructure but with a focus on the Western energy sector, especially in North America and Europe.
ForbesMicrosoft Confirms Windows Security Update Breaks VPN ConnectionsBy Davey Winder
The attackers have been observed compromising infrastructure hosted on AWS, Moses confirmed, adding that the Amazon telemetry revealed “coordinated operations against customer network edge devices hosted on AWS.” The problem, it turns out, isn’t related to any weakness on the AWS end per se, but rather to customer misconfigured devices.
“This trend is driven by practicality because misconfigured network edge devices, exposed management interfaces, and overly permissive identities provide low-cost, reliable entry points that can remain undetected for extended periods,” Chrissa Constantine, senior cybersecurity solution architect at Black Duck, warned. The approach is deliberate and certainly does not signal any diminished capability on behalf of the attackers in moving away from zero-days. “Misconfiguration abuse blends seamlessly with legitimate administrative activity,” Constantine concluded, “making detection and attribution significantly more challenging.”
ForbesCritical Amazon Kindle Hack Confirmed — What You Need To KnowBy Davey Winder Mitigating The Russian Hacker Amazon Attacks
Moses said that “Amazon remains committed to helping protect customers and the broader internet ecosystem by actively investigating and disrupting sophisticated threat actors,” and recommended organizations apply the following actions in 2026:
"Network edge device audit
Credential replay detection
Access monitoring
Indicators of Compromsie review"
When it came to AWS mitigation specifically, Amazon recommended managing access using identity federation with an identity provider, implementing the least permissive rules for your security groups, and using Amazon Inspector to automatically discover and scan Amazon EC2 instances for software vulnerabilities and unintended network exposure. Don’t let 2026 be an open window for attackers; you have been warned.
Brilliant, thank you 🙏
DeleteWhy don't you do it for other people?
DeleteForbes has too many cookies and sus software for the device I’m using right now. Not a problem for you, you don’t know what you don’t want.
Delete