TZUTC: -0500   
   MSGID: 1845.consprcy@1:2320/105 2da7f910   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Amazon says Russian hackers behind major cyber campaign to target Western   
   energy sector   
      
   Date:   
   Tue, 16 Dec 2025 17:20:00 +0000   
      
   Description:   
   For years, the GRU was snooping in critical infrastructure firms by abusing   
   misconfigurations and zero-days, Amazon says.   
      
   FULL STORY   
      
   For almost half a decade, Russian state-sponsored threat actors have been   
   abusing misconfigurations in network gear, as well as different   
   vulnerabilities, to establish persistence in key infrastructure organizations   
   in the west, experts have warned.    
      
   In a new threat report (v a The Register ), CJ Moses, Chief Information   
   Security Officer (CISO) at Amazon Integrated Security,  highlighted the scale   
   of the campaign, which has been ongoing for several years.    
      
   "The campaign demonstrates sustained focus on Western critical    
   infrastructure, particularly the energy sector, with operations spanning 2021   
   through the present day," Moses said.   
      
   Hiding in plain sight    
      
   In most cases, the threat actors are looking at enterprise routers , VPN   
   concentrators, remote access gateways, and network management appliances.    
      
   While they have been abusing multiple vulnerabilities, including many    
   zero-day flaws, they are primarily focused on abusing misconfigurations. This   
   is, Moses argues, because abusing misconfigurations leaves a significantly   
   smaller footprint and as such is a lot more difficult to spot and prevent.    
      
   Some of the edge devices being targeted are hosted as virtual appliances on   
   AWS, the report further states, adding that the company is hard at work   
   continually disrupting the campaigns as soon as malicious activity is    
   spotted.    
      
   Trying to attribute the campaign to a specific threat actor turned out to be   
   somewhat challenging, but AWS has reason to believe this is a broader Main   
   Intelligence Directorate (GRU) campaign, with multiple groups involved.    
      
   One of the entities being linked to the attacks is called Curly COMrades, a   
   group that has, among other things, been hiding their malware in Linux-based   
   VMs deployed on Windows devices.    
      
   In November this year, security researchers from Bitdefender reported Curly   
   COMrades running remote commands to enable the microsoft-hyper-v   
   virtualization feature and disable its management interface. Then, they used   
   the feature to download a lightweight Alpine Linux-based VM containing   
   multiple malware implants.    
      
   "Going into 2026, organizations must prioritize securing their network edge   
   devices and monitoring for credential replay attacks to defend against this   
   persistent threat," Moses concluded.    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/amazon-says-russian-hackers-behind-majo   
   r-cyber-campaign-to-target-western-energy-sector   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426