Sandworm’s Tactical Pivot: Russian GRU Abandons Zero-Days to Weaponize Misconfigured Edge Devices

A new report from Amazon Threat Intelligence reveals a disturbing evolution in Russian state-sponsored cyber operations. The group, linked to the notorious Sandworm (also known as APT44), has shifted its strategy away from complex software exploits, instead favoring a quieter, more efficient path: targeting misconfigured network edge devices to breach critical infrastructure across the West.

The report highlights a “tactical pivot” that has allowed these actors to maintain persistent access to vital networks while significantly reducing their footprint.

For years, state-sponsored actors have been synonymous with high-profile zero-day exploits. However, Amazon’s telemetry from 2021 through 2025 shows a marked decline in vulnerability exploitation by this group. Instead, they are hunting for the open doors left by administrators.

“Targeting the ‘low-hanging fruit’ of likely misconfigured customer devices with exposed management interfaces achieves the same strategic objectives,” the report notes. By focusing on unpatched or poorly secured routers, VPN concentrators, and network management appliances, the attackers can harvest credentials and pivot laterally without burning expensive software exploits.

Based on consistent targeting patterns and infrastructure overlaps, Amazon Threat Intelligence assesses with “high confidence this activity cluster is associated with Russia’s Main Intelligence Directorate (GRU)”.

The campaign’s footprint overlaps with operations previously attributed to Sandworm, a group infamous for disruptive attacks on Ukraine’s power grid. Researchers also found links to a cluster Bitdefender tracks as “Curly COMrades,” suggesting a potential division of labor where one team handles initial access while another manages persistence.

Once inside a compromised edge device, the actors don’t smash and grab; they listen. The report suggests the group uses native packet capture capabilities to intercept authentication traffic passively.

“Time gap between device compromise and authentication attempts against victim services suggests passive collection rather than active credential theft,” the analysts observed.

These stolen credentials are then weaponized in “systematic credential replay attacks against victim organizations’ online services,” allowing the spies to move from network appliances into cloud collaboration platforms and project management systems.

The scope of the campaign is immense, with a sustained focus on the energy sector and telecommunications providers across North America, Europe, and the Middle East.

Related Posts:

• Sandworm APT Exploits Trojanized KMS Tools to Target Ukrainian Users in Cyber Espionage Campaign
• Mandiant Unveils Russian Cyber Espionage in Ukraine’s Grid Disruption
• Sandworm Targets Ukraine’s Critical Infrastructure with New Attack Wave
• MuddyWater APT Exploits MSP Tools to Target Global Victims
• Cyberattack Surge: SMBs Grapple with 8% Rise in Malware