A Russian state-sponsored cyberespionage group has been targeting energy companies and critical infrastructure providers by exploiting misconfigurations in network-edge devices.

The group has been operating since at least 2021 and has exploited device misconfigurations before but also known vulnerabilities such as CVE-2022-26318 in WatchGuard Firebox and XTM appliances, CVE-2021-26084 and CVE-2023-22518 in Confluence or CVE-2023-2753 in Veeam Backup.

However, according to telemetry collected by Amazon Threat Intelligence, the group has heavily focused on targeting misconfigurations this year, pivoting away from zero-day or N-day vulnerabilities. The main targets have been enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms and cloud-based project management systems.

“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” the researchers found.

Links to Sandworm and Curly COMrades

According to Amazon’s telemetry, the group’s infrastructure has overlaps with Sandworm, a group also known as APT44 and Seashell Blizzard that’s associated with Russia’s military intelligence agency, the GRU. There are also overlaps with a group whose activity was documented in the past by security firm Bitdefender, under the name Curly COMrades.

However, these could be subgroups within the GRU that work together, with the one tracked by Amazon handling initial access and lateral movement and Curly COMrades handling the host persistence through its CurlyShell and CurlCat custom malware implants.

Amazon detected attacks against customer network edge appliances hosted on AWS EC2 instances with actor-controlled IP addresses achieving persistent connections that indicate interactive access to the compromised devices.

Credential harvesting

The researchers also observed credential replay attacks against victims’ other online services using stolen domain credentials following network edge device compromises. This indicates that the attackers are likely harvesting credentials by leveraging the traffic capturing and analysis capabilities of the compromised devices.

“Time gap between device compromise and authentication attempts against victim services suggests passive collection rather than active credential theft,” the researchers found.

Network traffic interception is consistent with Sandworm’s known tradecraft and the targeting of network edge devices specifically positions the attackers to intercept credentials in transit.

How critical infrastructure providers can defend against this threat

The group has a strong focus on the energy sector, with victims including electric utility companies, energy providers and even MSSPs with energy sector clients. However, it has also targeted technology and service cloud providers, as well as telecommunications companies across multiple regions.

The Amazon Threat Intelligence team advises organizations to audit their network edge devices for packet capture files or utilities that shouldn’t be present, to review their device configurations and isolate management interfaces, and implement multi-factor authentication.

Companies should also review authentication logs and monitor authentication attempts from unexpected geographic locations. Anomaly detection for authentication patterns should be implemented for all online services and the use of plain text protocols that could expose credentials in transit should be audited.

The Amazon report includes indicators of compromise associated with this attack campaign as well as security recommendations specific to AWS environments.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.