Okay, here’s a draft article based on the provided text, incorporating the required ​E-A-T signals, components,⁤ and self-check ⁤criteria. I’ve aimed ⁤for Google⁤ News‍ friendliness and avoided anything that could ⁢be considered spammy.

“`html

GRU Hackers Target Western Critical Infrastructure,shift Tactics to Misconfiguration

The Amazon ‍Threat Intelligence team has disrupted ⁣active‌ operations attributed to hackers working for ‌the Russian foreign military intelligence agency,the GRU,who targeted customers’ cloud‍ infrastructure. This campaign, observed since⁤ 2021, demonstrates a concerning evolution in tactics, prioritizing access through⁤ misconfigured devices over‌ vulnerability exploitation.

Tactical Shift: From Vulnerabilities to misconfigurations

Initially, the threat actor focused on exploiting known and zero-day vulnerabilities in products like WatchGuard, Confluence, and Veeam. Though,in 2025,they⁢ increasingly targeted‍ misconfigured customer network edge devices. These include enterprise routers, VPN gateways, network management⁢ appliances, collaboration platforms, and cloud-based project management solutions.

CJ Moses,the⁤ CISO of⁢ Amazon integrated Security,explains that targeting these “low-hanging fruit” – devices with exposed management interfaces – achieves the same strategic⁣ goals: persistent access to critical‍ networks and credential⁢ harvesting. This shift represents a concerning evolution, as ​it requires fewer resources and less ⁢complex techniques⁣ than zero-day exploitation.

“The threat actor’s shift in operational tempo represents a concerning evolution: while customer ‌misconfiguration⁣ targeting has been‌ ongoing since at least 2022, the ⁢actor maintained sustained focus on this ‍activity in 2025 ​while reducing ⁣investment in zero-day and N-day exploitation,”⁤ Moses explains.

Credential Theft and Lateral Movement Remain Key ⁣Objectives

Despite the change‌ in tactics,‌ the hackers’ ultimate⁣ objectives remain consistent: stealing credentials and moving laterally within victim networks with minimal exposure. This suggests a highly focused and ‍disciplined operation.

Attribution: Linking to Sandworm and Curly COMrades

Amazon assesses with high confidence that the attacks were carried out by ‌hackers⁤ working for the ​Russian⁢ GRU, based on⁤ targeting patterns⁢ and overlaps in ⁣infrastructure⁢ with known Sandworm (APT44, Seashell Blizzard) and ⁤curly COMrades operations.

The Curly COMrades hackers,⁤ first reported by Bitdefender,may be tasked with reconnaissance and initial access,paving the way for more sophisticated attacks.