For years, elite state-backed hackers have been defined by their exploits. Zero-days were the calling card—rare bugs, complex chains, techniques that only a handful of teams could pull off. That image still dominates how many defenders think about top-tier threats.
Amazon’s latest threat intelligence challenges that assumption. According to AWS, Russian state-sponsored attackers tied to Sandworm are increasingly gaining access through misconfigured network edge devices, exposed management interfaces, and cloud environments with overly permissive settings. These attackers haven’t lost the ability to exploit software; they’ve simply chosen not to. If misconfigurations get them in quietly and with little risk, there’s no reason to burn a valuable exploit.
From Exploits to Misconfigurations
Earlier campaigns tied to the group show it had no trouble exploiting complex vulnerabilities when it suited their goals. Amazon observed successful exploitation between 2021 and 2025 of widely used enterprise platforms, including WatchGuard firewalls, Atlassian Confluence servers, and Veeam backup systems—technology that sits deep inside networks and is often trusted by default.
These operations reflected patience as much as technical skill. Access was maintained over time and used to harvest credentials, map environments, and move laterally rather than trigger immediate disruption.
By 2025, Amazon observed a change in how the group gained access. Exploit activity declined, and attempts to abuse known vulnerabilities became less common. What replaced them was a consistent focus on misconfigured network edge devices.
The targets were familiar: routers, VPN appliances, firewalls, and cloud-hosted gateways with management interfaces left exposed or access controls set too loosely. These systems sit at the edges of modern environments, often connecting corporate IT to operational networks or remote users. They’re essential, widely deployed, and easy to overlook once they’re working.
“Rather than signaling diminished capability, the move away from zero-day exploits toward exploiting weak configurations and credentials in VPNs, routers, and cloud or hybrid environments is deliberate,” said Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck. “Misconfiguration abuse blends seamlessly with legitimate administrative activity, making detection and attribution significantly more challenging.”
Sandworm is one of Russia’s most aggressive state-backed hacking units, widely linked to the GRU, Russia’s military intelligence service. The group is best known for operations targeting energy providers, government agencies, and industrial operators, often balancing overt disruption with quieter, long-term access inside networks.
Amazon’s assessment rests on more than target selection. AWS observed the same cloud resources, network patterns, and tooling reused across multiple campaigns. That infrastructure overlaps with activity Bitdefender tracks as Curly COMrades, a separate cluster tied to Russian state-backed operations, pointing to shared operators or coordination rather than a one-off campaign.
Why Misconfigurations Are So Hard to Defend
Misconfigurations are a natural outcome of how modern environments are built and operated. Most organizations now run a mix of on-prem systems, cloud services, SaaS platforms, and network edge devices spread across locations. Responsibility is fragmented across teams. Network engineers manage one layer, cloud teams another, while vendors, integrators, and contractors touch the same infrastructure at different times for different reasons.
Many of these devices are managed by small teams under constant pressure to keep systems running while adapting to ongoing change. Over time, settings drift, temporary access intended for short-term use lingers, and remote management is opened for convenience and never fully closed. When attackers take advantage of that access, defenders are often left with little to respond to, because the activity moves through legitimate interfaces and leaves behind no exploit or malware to investigate.
The problem is compounded by the limits of traditional security tools. Vulnerability scanners are designed to find known flaws, not exposed management interfaces. Endpoint tools don’t live on routers or VPN appliances. SIEMs can only work with the logs they receive, assuming those logs exist and someone knows which patterns actually matter.
Abuse of misconfigurations also avoids the warning signs most security teams expect to see during an intrusion. There’s no exploit traffic, no malware beacon, and no obvious failure to investigate. From the outside, the activity often looks like routine administrative access by someone who belongs there.
That disconnect between how environments actually operate and how security is measured is what allows these weaknesses to persist and why they appeal to attackers.
Critical Infrastructure in the Crosshairs
Energy providers, utilities, and other infrastructure operators remain attractive targets because of how their environments are evolving. Many of these organizations are modernizing quickly, layering cloud services, remote access, and internet-connected edge devices onto systems that were never designed to face the outside world.
That transition creates friction. Legacy operational technology still prioritizes stability and uptime, while newer systems favor flexibility and connectivity. Network edge devices often sit between the two, bridging IT and operational environments in ways that make access easier but security harder to manage.
For state-backed actors, that combination is hard to ignore. A foothold at the network edge can provide visibility into both sides of the environment without the noise that usually accompanies exploit-based intrusions or malware deployment.
Amazon’s observations line up with long-standing interest in sectors where access carries geopolitical value. In these environments, access doesn’t have to be used immediately to be useful. It can be maintained quietly, mapped over time, and revisited as conditions change. Modernization doesn’t remove risk here so much as shift where it lives, and the attackers watching these sectors appear well aware of that.
What This Means for Defenders
Misconfigurations don’t show up on patch dashboards or vulnerability counts. They often sit outside compliance reports altogether. Yet they can provide the same level of access as an exploit, sometimes with fewer signs that anything is wrong.
Closing that blind spot starts with visibility. Organizations need a clearer picture of what network edge devices are deployed, where they’re exposed, and who has administrative access. Asset inventories that stop at endpoints and servers miss the systems attackers are increasingly using to get in.
Configuration review also has to be treated as an ongoing process rather than a one-time cleanup. That includes auditing edge devices, tightening management interfaces, and watching for drift as environments change. Identity matters here as well. Once access is gained, credential reuse and replay often allow attackers to move quietly through an environment.
This kind of activity calls for broader situational awareness, not just internal fixes. “Organizations should also routinely review Indicators of Compromise tied to known campaigns and infrastructure,” said Shane Barney, CISO at Keeper Security. “Network edge audits, credential replay detection, access monitoring, and IOC review form the practical baseline for defending against these operations, especially in environments where identity and access are the primary attack paths.”
A Strategic Wake-Up Call
The larger takeaway isn’t that exploits no longer matter. It’s that attacker success increasingly depends on assumptions defenders make about what they believe is already under control.
For years, many organizations treated unpatched software as the main source of risk. If scanners were clean and patch cycles were tight, they felt confident. Amazon’s findings suggest that confidence may be misplaced.
State-backed actors are exploiting what defenders assume to be settled: that edge devices are configured correctly, that administrative access is limited, and that someone is watching the logs. When those assumptions go untested, they leave room for quiet access that doesn’t look like an intrusion.
Those gaps don’t require clever exploits. They only require patience.
