Amazon Web Services (AWS) today published a report detailing a series of cyberattacks occurring over multiple years attributable to Russia’s Main Intelligence Directorate (GRU) that were aimed primarily at the energy sector in North America, Europe and the Middle East.

The latest Amazon Threat Intelligence report concludes that the cyberattacks have been evolving since 2021, based on overlapping infrastructure previously associated with known Sandworm operations observed through AWS telemetry data.

CJ Moses, CISO for Amazon Integrated Security, said that while AWS has been able to both thwart many of these cyberattacks and remediate any affected instances of its EC2 cloud service, cybersecurity teams should assume that similar tactics are being used to compromise other cloud services that organizations might be connected to a misconfigured edge computing platform.

While thwarting these types of attack should be considered a fundamental capability of any cybersecurity strategy, the fact remains there are still a large number of misconfigured edge computing devices and platforms for malicious actors to exploit, noted Moses.

AWS was unable to observe how credentials are being captured, but the gap between device compromise and authentication attempts against services suggests passive collection rather than active credential theft, according to the report. Specifically, the report suggests that the targeting of customer network edge devices enables malicious actors to intercept credentials in transit.

In addition to advising organizations to audit network devices to ensure credentials have not been compromised, AWS is also encouraging cybersecurity teams to analyze logs to identify any instances of reuse of credentials and monitor for authentication attempts from unexpected geographic locations.

In the case of AWS customers, the cloud service provider is again reminding organizations to implement identity access management (IAM) controls to secure access to cloud services.

It’s not clear how widely the GRU and any affiliated cybersecurity syndicates have been exploiting this attack vector, but given the number of misconfigured edge computing devices and platforms there are, the extent of the damage is likely to be significant, especially across an energy sector that manages critical infrastructure that is likely to be heavily targeted should any hostilities involving Russia and its allies break out.

Of course, it’s probable other government agencies around the world are also exploiting similar low-level types of mechanisms to gain access to applications and services. Russia, especially, has a reputation for favoring low cost methods to compromise IT environments, noted Moses.

The sad truth is that most organizations should assume their IT environments have been compromised using these or other similar types of tactics and techniques. The challenge and the opportunity now is to first determine the degree and the extent of such malicious activity before putting in the controls needed to prevent it from occurring again. Of course, there is no such thing as perfect security but at the same time nor should it be so relatively simple to compromise a modern IT environment.