Global cloud computing giant Amazon Web Services (AWS) has officially confirmed a five-year-long Russian cyber espionage campaign targeting Western countries, marking one of the most sustained infrastructure-focused hacking operations disclosed in recent years. According to Amazon Threat Intelligence, the campaign is linked to the notorious “Sandworm” hacker group, widely believed to operate under Russia’s military intelligence agency, the GRU, and has been active since at least 2021.
Amazon Integrated Security Chief Information Security Officer and former FBI Cyber Division technical lead CJ Moses said the operation represents a shift in modern cyber warfare tactics. Unlike traditional attacks, the campaign did not rely on exploiting newly discovered software vulnerabilities or zero-day flaws. Instead, attackers gained access through poorly configured customer network edge devices, effectively bypassing otherwise secure systems.
Attack Through the ‘Open Window’
Moses explained that the attackers deliberately targeted systems where management interfaces were exposed or access controls were overly permissive. As a result, even fully patched and updated environments were compromised—not because of software weaknesses, but due to human and configuration errors.
Cybersecurity expert Chrissa Constantine, senior solution architect at Black Duck, warned that such attacks are particularly dangerous. They closely resemble legitimate administrative activity, making detection and attribution significantly more difficult. This allows threat actors to remain embedded in victim networks for extended periods without raising alarms.
Energy Sector at the Center of the Campaign
According to the Amazon report, the Russian cyber operation primarily focused on critical infrastructure, with the energy sector in North America and Europe emerging as a key target. Amazon’s telemetry data revealed coordinated compromises of infrastructure hosted on AWS, with attackers moving laterally across systems after initial access was established.
Security analysts believe the campaign reflects a broader strategic intent to map, monitor, and potentially disrupt essential services during periods of geopolitical tension.
Parallel Threat From North Korea
Alongside the Russian activity, Amazon has also issued warnings about large-scale cyber operations linked to North Korea (DPRK). Amazon Chief Security Officer Steve Schmidt confirmed that DPRK-linked operatives have increasingly attempted to infiltrate global tech companies by applying for remote IT jobs using stolen or fabricated identities.
Since April 2024, Amazon has blocked more than 1,800 suspected North Korean operatives from joining the company. Schmidt also noted a 27% quarter-on-quarter increase in such applications during 2025. Investigations revealed the use of U.S.-based “laptop farms,” where devices are physically located domestically while being remotely operated from abroad to evade detection.
Crypto-Mining Through Compromised AWS Accounts
In a separate but related disclosure, Amazon confirmed an ongoing crypto-mining campaign exploiting compromised AWS accounts. According to AWS GuardDuty engineers, attackers used stolen Identity and Access Management (IAM) credentials with elevated privileges to deploy cryptocurrency mining workloads across EC2 and ECS environments.
Once access was obtained, the attackers required less than 10 minutes to deploy mining malware at scale. They also disabled API-based termination protections, complicating automated remediation and prolonging persistence within affected accounts.
Amazon’s Warning for 2026
Amazon has urged organizations to take immediate action ahead of 2026, emphasizing that misconfiguration—not software flaws—has become the primary attack vector. Recommended measures include comprehensive network edge device audits, strict multi-factor authentication, enforcement of least-privilege IAM policies, and continuous access and credential monitoring.
Moses summarized the risk succinctly:
“Patching alone is no longer enough. A single misconfigured system can undermine even the most secure environment.”
Amazon’s message is unambiguous—unless security configurations are tightened now, 2026 could mark a dangerous escalation in cyber threats targeting global infrastructure.
