Russia’s GRU Target ‘Low-Hanging Fruit’ in 5-Year Cyberattack, Amazon Reports
photo for everything / Adobe Stock
Toggle Dark Mode
Most of you probably know by now that Amazon is more than an e-commerce store and streaming platform. Amazon also has its own cloud computing platform, AWS (Amazon Web Services), which offers a wide range of services, from simple websites for individuals to hosting databases, storage, and computing power for global enterprises. Its pay-as-you-go model allows customers to only pay for the resources they consume, with the added benefit of not having to manage their own physical IT infrastructure.
Last year, AWS brought in nearly $108 billion. In the third quarter of 2025, it generated $33 billion in revenue. The service is trusted by some of the most recognizable companies across both the private and public sectors. To name a few, some businesses relying on AWS include streaming giants Netflix and Disney, Zoom, Capital One, Goldman Sachs, Visa, Starbucks, Pfizer, Adidas, BMW, Toyota, and General Motors. Then there are public-sector clients like NASA and the Department of Defense.
As you can imagine, these clients also rely on AWS for keeping their websites, databases, and customer information secure. Amazon’s Threat Intelligence team recently published a report detailing a five-year-long Russian state-sponsored cyberattack. With “high confidence,” Amazon believes the activity is associated with Russia’s Main Intelligence Directorate (GRU). However, the attackers didn’t exploit a weakness of AWS. Instead, the hackers targeted misconfigured devices like routers, VPN concentrators, and cloud-based management systems of Amazon’s clients.
Amazon called these misconfigured customer devices exposing management interfaces “low-hanging fruit,” stating they allowed the bad actors to achieve their strategic objectives, which are access to critical infrastructure and credential harvesting.
Here’s the scary part. While these attacks were distributed across North America, Europe, and the Middle East, the objectives were the same — to control and potentially disrupt the power grid. Russia is focusing on electric utility organizations, energy providers, managed security services specializing in energy-sector clients, the energy-sector supply chain, and direct and third-party service providers with access to critical infrastructure networks. Amazon is doing all it can to mitigate this ongoing threat.
Through coordinated efforts, since our discovery of this activity, we have disrupted active threat actor operations and reduced the attack surface available to this threat activity subcluster. We will continue working with the security community to share intelligence and collectively defend against state-sponsored threats targeting critical infrastructure.
Amazon also offers guidance to organizations to help them proactively monitor and detect this activity as well as on how to audit their devices. While state-sponsored attacks on energy grids are in an entirely different league from scammers and identity thieves targeting your mobile device, this story should still serve as a reminder to practice good digital hygiene. Take some time to beef up your iPhone security and privacy practices, and ensure you know how to recognize the signs your devices are targeted or compromised. Stay safe and spread the word.
