Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Home Cyber Security Amazon Links Five-Year Cloud Cyber Campaign to Russia’s Sandworm Group
Amazon Cloud Cloud Defense Cloud Device Cyber Campaigns Cyber Security GRU Hacking Attack Hacking Group

Amazon Links Five-Year Cloud Cyber Campaign to Russia’s Sandworm Group

Amazon has traced a five-year cyber campaign abusing misconfigured cloud-connected devices to Sandworm, a hacking group linked to Russia’s GRU.
January 02, 2026

 

Amazon is talking about a hacking problem that has been going on for a long time. This problem was targeting customers who use cloud services in countries. Amazon says that a group called Sandworm, which is linked to Russias intelligence is behind this hacking. Amazons team that looks at threats found out that this hacking has been happening for five years. The hackers were looking for weaknesses in how customers set up their devices than trying to find problems with the software. They were exploiting these weaknesses to get into customer environments. 

Amazon and the customers were using cloud services. The hackers were targeting these cloud-connected environments. The hacking group Sandworm is the one that Amazon says is responsible, for this activity. The people at Amazon looked at this problem in December. Amazons chief information security officer, CJ Moses said that this is a change in how some groups try to get into important systems. CJ Moses said that these groups are not trying to get in by using software that has not been updated. 

Instead they are looking at devices that are connected to the cloud and are not set up correctly. These devices are how they get into the organizations they are trying to attack. CJ Moses and the people, at Amazon think that this is a way that state-sponsored actors are trying to get into critical infrastructure. The devices that are connected to the cloud are the way that these actors get into the systems they are trying to attack. 

The cyberattacks were different from others. The systems that were compromised were not old or missing security updates. The people who did the attack found problems with the equipment that helps connect things, like gateways and devices that sit at the edge of networks. These devices had been set up incorrectly by the customers who used them. This equipment is usually between the networks of a company and the cloud services they use outside. 

So it gave the attackers a way to get into the rest of the system without needing to find brand weaknesses or use very complicated bad software at the start. The attackers used these edge devices as a kind of bridge to get into the system. They were able to do this because the devices were not set up correctly by the customers. The cyberattacks were able to happen because of this mistake. It made it easier for the attackers to get into the system. The compromised systems, including the routing equipment and gateways were the key, to the attack. 

The bad people got into the system. They were able to get important information like passwords. Then they were able to move to different cloud services and the internal system. Amazon looked at this. They think that the bad people were able to hide what they were doing by making it look like normal activity on the network. This made it harder to catch them. The bad people used passwords and normal paths, on the network so they did not trip any alarms. This meant that the security people did not notice them because they were not doing anything that seemed out of the ordinary. 

The Sandworm activity was seen times over a few years with signs of it going back to at least 2021. The people behind this campaign were going after targets all around the world. They were especially interested in organizations that do important work like those that deal with critical infrastructure. Amazon found out that the people behind the Sandworm activity were really focused on energy companies, in North America and Europe. This shows that the Sandworm activity was a thoughtful and planned operation and that is what makes it so serious the Sandworm activity is a big deal. 

Security specialists looked at the results. They think this is part of a bigger pattern with advanced threat actors. What is happening is that people are taking advantage of mistakes in how thingsre set up rather than looking for things that need to be updated. As organizations start to use hybrid and cloud-based systems this is becoming a bigger problem. Even people who are very good at IT can miss mistakes in how thingsre set up and this can leave them open, to attacks all the time. Security specialists and these advanced threat actors know that they can take advantage of these mistakes without setting off the warnings that something is wrong. 

Advanced threat actors are using these mistakes to get in. Amazons disclosure is a warning that having cloud security is not just about doing the usual updates. Companies that use cloud and hybrid environments for work need to do more. They need to make sure everything is set up correctly always check for problems with devices that are connected to the internet and limit who can get into the system. These things are very important, for security. Amazons cloud security is an example of this. Cloud security requires a lot of work to keep it safe. 

In a separate disclosure, Amazon also acknowledged detecting attempts by North Korean operators to conduct large-scale cyber activity, though this was unrelated to the Sandworm campaign. The company later clarified that the Russian-linked operation targeted customer-managed devices hosted on AWS rather than Amazon’s own infrastructure, and that the activity represented sustained targeting over several years rather than uninterrupted access.
Tags: Amazon Cloud Cloud Defense Cloud Device Cyber Campaigns Cyber Security GRU Hacking Attack Hacking Group
Share it:

Amazon

Cloud

Cloud Defense

Cloud Device

Cyber Campaigns

Cyber Security

GRU

Hacking Attack

Hacking Group