The Persistent Shadow: Amazon Confirms Five-Year Russian Campaign and Unveils Strategic Countermeasures for 2026

The digital defense landscape has been significantly recalibrated following a stark confirmation from Amazon Threat Intelligence: a sophisticated, state-sponsored cyber campaign linked to Russia’s GRU, specifically the Sandworm actor, has been actively targeting Western critical infrastructure for a full five years, spanning from 2021 through the present day of December 2025. This campaign, which focused heavily on energy sector organizations across North America and Europe, represents what Amazon security leadership terms a “significant evolution in critical infrastructure targeting”. The primary tactical pivot, observed decisively in 2025, shifted away from the high-risk, high-exposure exploitation of zero-day vulnerabilities toward the insidious weaponization of misconfigured customer network edge devices—the digital equivalent of leaving a back door unlocked.

This evolving threat necessitates an immediate and sustained recalibration of defense strategies. As the industry transitions into the new operational year, the guidance issued by security leadership is not merely a set of patches, but a comprehensive strategic mandate to fundamentally restructure how organizations manage their network perimeters. The core challenge, as identified by Amazon’s analysis, is not an intrinsic weakness in the cloud provider’s infrastructure, but rather the pervasive “low-hanging fruit” presented by customer-side device misconfigurations, which enabled this long-running, patient campaign.

Immediate Remediation: Addressing Low-Hanging Fruit Today

In direct response to the detailed findings regarding the Russian-linked Sandworm activity, security leadership from the provider issued a set of concrete, immediate remediation actions for all customers utilizing external-facing network devices connected to their cloud environments. These recommendations serve as an essential guide for mitigating the identified “low-hanging fruit” risks that attackers have so effectively exploited. The recommended actions are multi-faceted, requiring both administrative rigor and technical diligence.

Concrete Actions for Current Mitigation

Organizations must execute the following steps with expediency to close immediate access vectors:

• Network Edge Device Audit: The process begins with a comprehensive audit to ensure every single device residing at the perimeter is accounted for and that its continued function is absolutely necessary for business operations. This exercise is foundational to minimizing the known attack surface.
• Credential Replay Detection: Organizations are strongly urged to implement robust Credential Replay Detection mechanisms. The persistence of the Sandworm-linked activity confirms that stolen credentials, often harvested passively, will invariably be reused across multiple services, demanding proactive checks for this lateral movement technique.
• Granular Access Monitoring: Continuous, granular Access Monitoring is paramount. This involves heightened scrutiny of all administrative access, especially to network devices and cloud control planes, to spot anomalous logins or session activity.
• Indicators of Compromise (IoC) Review: A disciplined review of all internal Indicators of Compromise feeds is necessary to spot lingering signs of the identified tradecraft, ensuring any sleeper cells or established persistence mechanisms are rooted out.

Essential Steps for Hardening Customer Network Edges in the Coming Year

Looking toward the new year—2026—and beyond, the broader takeaway demands that organizations fundamentally restructure their approach to managing network edges, recognizing that the nation-state threat, exemplified by the GRU-linked campaign, will persist and evolve, potentially shifting focus to operational technology (OT) control systems as seen in recent CISA advisories. The advice centers on foundational security hygiene elevated to a non-negotiable strategic priority. As of late 2025, the increasing sophistication of nation-state actors underscores the need to move beyond reactive security measures.

Strategic Mandates for Foundational Security

The following mandates represent the strategic commitment required to counter patient, well-funded campaigns:

1. Catalog and Lock Down All Devices That Connect to the Internet: Organizations must aggressively Catalog and Lock Down All Devices That Connect to the Internet, eliminating any unknown, forgotten, or shadow IT assets that might present an unmonitored edge vulnerability. This aligns with Device Lifecycle Management (DLM) best practices for 2025, which stress real-time asset visibility and inventory tracking to prevent unpatched or unmanaged devices from lingering on the network.
2. Turn Off Public-Facing Management Interfaces: A crucial mandate is to immediately Turn Off Public-Facing Management Interfaces wherever possible. Administrative access must be pushed into secured, internal jump boxes or via strong, managed VPN connections only. The pivot by Sandworm away from complex exploits to simple, exposed interfaces proves the efficacy of this lockdown measure. CISA has similarly urged asset owners to reduce the exposure of OT assets to the public-facing Internet.
3. Rely on Strong Authentication: Industry-wide commitment must center on moving beyond simple passwords to mandatory, multi-factor authentication across all access points. In 2025, while overall workforce MFA adoption has reached 70%, the emphasis is rapidly shifting toward phishing-resistant, passwordless methods, which grew by 63% in one year, indicating that traditional MFA alone is no longer sufficient against determined actors. Strong authentication is positioned as a critical defense against credential harvesting, a core tactic of the confirmed five-year campaign.
4. Perpetually Keep Firmware and Software Up to Date: The commitment to Keep Firmware and Software Up to Date must be constant—not just for servers, but for every piece of network gear bridging internal networks to the outside world. Device Lifecycle Management (DLM) guides for 2025 highlight that regular security patch management and firmware updates are vital to address emerging vulnerabilities throughout the operational lifecycle, systematically removing the residual low-hanging fruit from the global landscape.

Beyond the Perimeter: Strategic Resilience in a Geopolitical Context

The confirmation of the Sandworm campaign is not an isolated event; it is a data point within a broader, escalating geopolitical reality. As of late 2025, CISA and partner agencies continue to report that nation-state actors are actively pre-positioning themselves across critical infrastructure sectors, including energy, communications, and water systems, with the intent of achieving lateral movement to operational technology (OT) assets. This makes the hardening of network edges—which bridge the IT and OT environments—an act of national security as much as corporate IT hygiene.

The Evolution of Nation-State Tradecraft

The five-year campaign’s evolution reveals a calculated patience. Early tactics relied on exploiting known flaws in software like WatchGuard or Atlassian Confluence; however, by 2025, the focus was overwhelmingly on abusing misconfigurations of edge devices, which offered a lower operational risk while achieving the same goal: credential harvesting and lateral movement. This adaptation forces a strategic response focused on resilience and visibility.

• Resilience Planning: Critical infrastructure providers must ensure they have comprehensive business-recovery and disaster-recovery plans in place, as a successful breach into OT systems, even via a misconfigured IT edge device, could have devastating physical consequences.
• Visibility and Dependency Mapping: Organizations must identify critical assets and map their dependencies on technology, vendors, and supply chains. CISA’s strategic guidance emphasizes expanding visibility into internationally shared systemic risks, acknowledging that infrastructure security extends across geopolitical boundaries.
• Shifting to Secure-by-Design: The industry must transition toward the CISA objective of advancing the cyberspace ecosystem to drive security-by-default, ensuring that future network devices are not only up-to-date upon deployment but architected with secure configurations baked in.

This sustained commitment, as the provider stressed, is the only effective path to countering the persistent, patient, and well-funded campaigns executed by nation-state actors. For organizations operating within or adjacent to critical sectors, the lessons from this five-year operation must translate into an immediate, top-down prioritization of perimeter hygiene and identity assurance throughout 2026 and beyond.