Russian state-sponsored hackers appear to be pivoting away from high-end vulnerability exploitation toward something far simpler—and far harder to detect. According to new research from Amazon Threat Intelligence, the Sandworm cyber unit linked to Russia’s GRU military intelligence agency is increasingly relying on misconfigured network edge devices as the primary initial access vector in attacks targeting critical infrastructure across the United States and Europe.
This shift marks a significant change in tradecraft for one of the most aggressive and historically destructive state-backed threat groups in the world. And it signals that, for defenders, misconfigurations are no longer a “basic IT problem.” They are now a frontline geopolitical attack surface.
To understand the significance of this shift, it is helpful to look back at Sandworm’s operational history—a timeline marked by some of the most consequential cyber incidents ever recorded.
The group was behind the BlackEnergy and Industroyer/CrashOverride attacks on Ukraine’s power grid in 2015 and 2016, the first known cyber operations to cause physical power outages. In 2017, they unleashed NotPetya, which would become the most destructive cyberattack in history, crippling global shipping, pharmaceutical manufacturing, and logistics supply chains. Sandworm has also been tied to Olympic Destroyer, disruptions of satellite communications, including the Viasat KA-SAT attack at the onset of Russia’s invasion of Ukraine, and espionage campaigns targeting energy, government, and industrial sectors worldwide.
Historically, the group demonstrated deep capabilities in developing and deploying custom malware, exploiting zero-day and n-day vulnerabilities, and conducting multi-stage post-exploitation with remarkable operational sophistication. However, AWS researchers now report that Sandworm’s activity shows a notable pivot.
Amazon’s threat intelligence team has monitored Russian-linked campaigns between 2021 and 2025 targeting energy companies, Western critical infrastructure, and organizations with cloud-hosted or hybrid network environments. Until recently, initial access relied heavily on vulnerability exploitation — including flaws like:
CVE-2022-26318 (WatchGuard)
CVE-2021-26084 and CVE-2023-22518 (Atlassian Confluence)
CVE-2023-27532 (Veeam)
Beginning in 2025, AWS analysts observed an apparent decline in zero-day and n-day exploitation and a corresponding increase in the targeting of misconfigured network edge devices, exposed management interfaces, and identity-related weaknesses. The activity overlaps with infrastructure associated with Sandworm and with a cluster tracked by Bitdefender as “Curly COMrades,” which may be supporting specific post-exploitation tasks.
The takeaway: even the most capable nation-state actors now prioritize what’s easiest and stealthiest — not necessarily what’s most technically advanced.
The natural question is why a group with a long track record of elite operational capabilities would deprioritize the exploitation of vulnerabilities. The answer, according to both AWS researchers and independent experts, depends on practicality, stealth, and persistence.
Stealth and blending in
Misconfiguration abuse often mimics legitimate administrative behavior. As Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, notes, this makes detection far more challenging than a noisy exploit: misconfigured interfaces and overly permissive identities provide “low-cost, reliable entry points that can remain undetected for extended periods.”
Reduced operational risk
Zero-days are expensive to develop and easy to burn. Misconfigurations, meanwhile, are renewable resources — there is no patch cycle for a poorly secured router, exposed VPN interface, or cloud identity with excessive permissions.
Identity is now the attack surface
As organizations have shifted to cloud-first or hybrid environments, identity and access controls have replaced traditional network boundaries. Misconfigurations in these areas provide attackers with direct access without requiring the exploitation of a vulnerability.
Long-term persistence
A single misconfigured edge device can remain exploitable for months or years. Persistent access is of particular value to state actors conducting espionage, reconnaissance, or pre-positioning for potential disruptive operations.
This is not a sign that Russian operators are losing capability. It is a deliberate optimization of effort.
The shift is especially concerning for critical infrastructure sectors — energy, utilities, transportation, manufacturing, and government — where network edge devices bridge operational environments, remote operations, and cloud services. These devices often:
lack standardized security hardening
run outdated firmware
expose administrative interfaces
rely on legacy authentication models
fall outside traditional vulnerability scanning workflows
Shane Barney, CISO at Keeper Security, emphasizes that edge devices still offer attackers “consistent access with less operational risk than exploiting vulnerabilities.” Once compromised, attackers frequently rely on credential replay, not malware, to move laterally and expand their foothold.
For OT-adjacent operations, this is a dangerous combination: persistent access, limited visibility, and the ability to impersonate legitimate users.
Experts stress that the defensive basics — long championed but inconsistently implemented — are now essential for countering state-sponsored threats.
Routine audits of edge devices. Security teams need to evaluate routers, VPNs, firewalls, and cloud edge services just as rigorously as they audit core infrastructure.
Eliminating exposed management interfaces. These remain among the most common misconfigurations and among the easiest for attackers to exploit undetected.
Continuous monitoring of authentication and administrative activity. Barney notes that early detection often depends on identifying “unexpected administrative activity and anomalous authentication behavior”—especially when privileged access spans cloud and on-premises environments.
Controls to mitigate credential replay. This includes correlating authentication events, restricting credential reuse, and reviewing any unusual access across services.
Regular review of indicators of compromise (IOCs). State-linked groups regularly reuse infrastructure or tooling. Keeping IOC monitoring current is a key part of defending against active campaigns.
In this threat landscape, configuration management and identity hygiene are no longer “foundational tasks.” They are frontline defenses against nation-state operations.
Russia’s Sandworm operators have long been synonymous with high-impact, high-complexity cyberattacks. However, their newly observed preference for misconfigurations over zero-day exploits signals a shift toward stealth, persistence, and operational efficiency—one that targets the weakest link in today’s distributed, cloud-connected infrastructure.
For defenders, the message is clear: Misconfigurations are no longer small mistakes. They are strategic vulnerabilities being actively weaponized by some of the most capable adversaries in the world.
Follow SecureWorld News for more stories related to cybersecurity.