For nearly five years, spies working for the Russian government have quietly infiltrated critical infrastructure across the West. Security experts at Amazon now warn that this campaign is massive and still very active. CJ Moses, the Chief Information Security Officer at Amazon, says these hackers have kept a laser focus on the energy sector since 2021.
The attackers usually go after the hardware that manages networks, such as enterprise routers, VPN gateways, and remote access tools. While they sometimes use “zero-day” flaws—bugs that software makers don’t yet know about—they prefer a much simpler method. They look for misconfigurations. Moses explains that exploiting a setting that a system administrator forgot to lock down creates much less noise than breaking in through a software vulnerability. This makes the intruders almost impossible to spot until it is too late.
Amazon has linked this activity to the GRU, Russia’s military intelligence service. It is a broad effort involving several different hacking teams working toward the same goal. One group, dubbed “Curly COMrades,” has been particularly creative in how they stay hidden. Just last month, researchers at Bitdefender found this group hiding malware inside Linux virtual machines that they secretly installed on compromised Windows computers. By burying their tools inside a virtual layer, they effectively blinded standard antivirus software.
Since some of these vulnerable devices run on AWS, Amazon is fighting the hackers directly. Moses stated that his team continuously disrupts these operations whenever they are found. However, he warns that the threat is not going away. As we head into 2026, he urges companies to lock down their network edges and watch closely for attackers trying to reuse stolen passwords. If organizations do not fix these basic setup errors, these Russian groups will continue to maintain their foothold in the systems that power the economy.
