With a deep understanding of cloud architecture and security, Maryanne Baines has spent her career evaluating how enterprises navigate the complex digital landscape. Today, we delve into a pressing issue highlighted in a recent Amazon Threat Intelligence report: a significant tactical shift by Russian-backed threat groups. Over a nearly five-year campaign, these actors have moved away from traditional vulnerability exploits, instead focusing on the “low-hanging fruit” of misconfigured network edge devices. We’ll explore how this strategy allows them to harvest credentials and gain persistent access, the unique challenges this presents when devices are hosted in the cloud, and the grave risks facing critical infrastructure, particularly the energy sector.
Russian-backed groups now favor exploiting misconfigured edge devices over hunting for zero-day vulnerabilities. Why is this tactical shift so effective for them, and what does it reveal about their resource expenditure and operational goals?
It’s a classic case of working smarter, not harder. Developing or acquiring a zero-day exploit is incredibly expensive and time-consuming, and once you use it, the clock is ticking until it’s discovered and patched. By shifting focus to misconfigured edge devices—things like routers and VPNs with exposed management interfaces—they achieve the exact same operational outcomes with a fraction of the effort and risk. Their goal is still credential harvesting and lateral movement, but this approach dramatically reduces their resource expenditure and their exposure. We saw the beginnings of this trend back in 2021 with the WatchGuard exploitation, and by 2025, their success with this method was so profound that we observed a clear decline in their use of zero-day exploits. They simply found a more efficient path to the same destination.
Threat actors are using packet capture on compromised routers and VPNs to harvest credentials for lateral movement. Could you walk us through this attack chain step-by-step and explain the specific security blind spots that allow these persistent connections to go unnoticed?
Certainly. The attack begins when the actor finds an exposed edge device, which is surprisingly common. Once they gain access, they don’t immediately cause a ruckus. Instead, they install packet capture utilities and simply listen. All the data flowing through that device—logins, session tokens, sensitive information—is copied and analyzed. It’s like putting a tap on the main data line into a building. After harvesting the credentials they need, they use them to log into the organization’s other online services or internal infrastructure. The real security blind spot here is the persistence. The attackers establish long-term, low-and-slow connections that often blend in with legitimate administrative traffic. Unless you are actively monitoring for unexpected utilities running on your routers or analyzing traffic patterns for anomalies, these connections can persist for years, silently exfiltrating data the entire time.
Some of these attacks involve customer-managed network appliances running on public cloud instances. How does this environment change the game for attackers, and what unique challenges does it create for security teams trying to distinguish malicious activity from legitimate traffic?
This is a crucial point, and it’s not about a weakness in the cloud provider itself. When a customer deploys their own network appliance software on a cloud instance, like an EC2 instance on AWS, they are responsible for configuring it securely. If they misconfigure it, they’re essentially creating a publicly accessible weak point. For an attacker, this is ideal. They can compromise the instance and then establish persistent connections from their own actor-controlled IP addresses. For security teams, this is a nightmare. Sifting through mountains of telemetry to distinguish a malicious, persistent data stream from thousands of legitimate network connections is incredibly difficult. It underscores the shared responsibility model: the provider secures the underlying infrastructure, but the customer absolutely must secure their own applications and configurations within it.
The energy sector and its supply chain have been primary targets in this campaign. What are the specific strategic objectives behind gaining persistent access to critical infrastructure, and what are the most severe operational risks these organizations face from such a compromise?
The strategic objective here is long-term positioning, not just a quick data grab. Gaining persistent access to the network of an energy company or its supplier is about establishing a deep, enduring foothold inside a nation’s most critical systems. From there, the possibilities are chilling. They can conduct espionage, mapping out operational technology and industrial control systems. They can steal intellectual property. But the most severe risk is the potential for future disruption. This access could be leveraged to manipulate systems, cause blackouts, or interfere with energy distribution at a moment of geopolitical tension. It’s about placing a digital time bomb inside an adversary’s essential services, ready to be detonated when it will cause the most damage.
Given this focus on misconfigurations, what are the most crucial first steps an organization, particularly one in critical infrastructure, should take to audit and secure its network edge?
The first step has to be a comprehensive and brutally honest audit of your entire network edge. Assume you have devices with exposed management interfaces and go find them. Once you have visibility, the next critical action is to secure and monitor them relentlessly. This means implementing practical monitoring techniques, like actively scanning your devices for unexpected packet capture files or strange utilities that shouldn’t be there. That’s a massive red flag. Beyond that, enforcing strong authentication is non-negotiable. This is especially true for organizations in the energy sector or other critical infrastructure. You must make that “low-hanging fruit” as difficult to reach as possible, because we know for a fact that adversaries are looking for it.
What is your forecast for the evolution of attacks on edge devices?
I believe this campaign demonstrates a clear and permanent evolution in tactics. This isn’t a fleeting trend; it’s the new standard operating procedure for sophisticated actors because it is incredibly efficient. My forecast is that attackers will continue to refine their methods for discovering and exploiting these misconfigurations, likely using more automation to scan for targets at scale. The focus will remain squarely on critical infrastructure because the strategic payoff is too high to ignore. The defensive battle will shift even further away from just patching vulnerabilities and more toward proactive configuration management, continuous monitoring, and assuming that a persistent adversary is always testing your perimeter.
