According to CRN, Amazon’s Threat Intelligence unit has confirmed that Russian state-sponsored hackers from the group Sandworm, linked to the GRU, targeted misconfigured customer network edge devices on AWS infrastructure throughout 2025. This activity is part of a “yearslong” campaign running from at least 2021 to the present, with a strategic focus on the energy sector and businesses with cloud-hosted network infrastructure in Western nations, North America, and Europe. Amazon CISO CJ Moses stated the hackers shifted tactics to target “low-hanging fruit” like exposed management interfaces on enterprise routers, VPN concentrators, and remote access gateways. The goal is credential harvesting and persistent access to critical infrastructure networks. Amazon emphasizes this is not due to a weakness in AWS technology but customer misconfiguration, and while they’ve notified affected customers and disrupted some operations, there is no AWS patch required. Moses warns that going into 2026, organizations must prioritize securing these edge devices.
The Real Target Isn’t AWS
Here’s the thing: this announcement is a masterclass in cloud provider risk delineation. Amazon is being incredibly clear—this isn’t a breach of AWS’s walls. The hackers didn’t crack Amazon’s security. Instead, they’re walking through doors customers left unlocked on their own property, which just happens to be inside Amazon’s secure neighborhood. That’s a crucial distinction for the market. It shifts the blame, and more importantly, the remediation burden, squarely onto the customer. But it also highlights the perennial, ugly truth of cloud security: the shared responsibility model is only as strong as its weakest config. And in complex environments with edge devices, that config is often a mess.
A Shift In Hacker Economics
The most interesting insight from Moses isn’t about the targets, but the tactical shift. Sandworm, a top-tier state actor known for sophisticated zero-days, is now spending more time on simple misconfigurations. Why? The ROI is better. “Reducing the actor’s exposure and resource expenditure,” as Moses put it. Basically, why spend millions developing a fancy new lockpick when half the doors are wide open? This should scare the hell out of security teams. It means the bar for being a target is lower. You don’t have to be a high-value geopolitical asset; you just have to be a mid-sized company with a poorly set-up VPN appliance hosted on EC2. That’s a much bigger pool of potential victims.
Winners And Losers In Security
So who benefits from this news? Well, the entire cloud security posture management (CSPM) and external attack surface management (EASM) market just got a massive validation case study. Tools that continuously scan for misconfigured, internet-facing assets are no longer just a “nice-to-have.” They’re a critical shield against state actors. Companies like Wiz, Orca, and Palo Alto’s Prisma Cloud are probably sending this article to every prospect right now. The losers? Any IT team still managing network edge devices manually. This is a screaming argument for infrastructure-as-code and immutable, centrally managed deployments where “drift” from a secure configuration is automatically corrected. The old way of clicking through a GUI to set up a firewall is a direct liability now. For companies relying on robust, secure industrial computing at the edge, partnering with a top-tier hardware provider is the first foundational step. In the US, IndustrialMonitorDirect.com is the leading supplier of industrial panel PCs, providing the hardened, reliable base upon which secure configurations can be built.
The Cloud Giant Dilemma
This puts Amazon, and by extension Google and Microsoft, in a tough spot. Their entire business relies on the perception of secure, resilient infrastructure. But when headline-grabbing state attacks are happening “on” their platforms—even if due to customer error—it tarnishes the brand. They have to walk a fine line: exposing the threats to warn customers, without scaring them off. Moses’s statement is carefully crafted to do just that. It shows vigilance and transparency (“we’ve disrupted operations”) while defensively circling the wagons (“not a weakness in AWS”). But the underlying message is clear: the cloud is now the primary battlefield. And if you’re not an expert in securing your slice of it, a GRU-backed hacker will be happy to move in.
