Amazon Reveals Prolonged GRU-Linked Cyber Espionage Campaign Against Energy and Cloud Systems

Amazon security teams have uncovered a multi-year cyber operation tied to Russia’s GRU, targeting critical energy networks and cloud infrastructure.

Amazon has disclosed details of a long-running cyber espionage campaign linked to Russia’s military intelligence agency, the GRU. According to Amazon’s findings, threat actors conducted sustained operations over several years, focusing on energy-sector organizations and cloud infrastructure providers.

The campaign relied on a combination of credential theft, exploitation of exposed services, and abuse of cloud identities. Attackers targeted organizations that manage or support critical energy operations, including electricity generation, distribution, and related industrial systems. At the same time, they pursued access to cloud environments that host sensitive workloads and management platforms.

Amazon researchers observed that the attackers emphasized persistence and stealth rather than rapid disruption. Once they gained initial access, they moved carefully through compromised environments. They collected credentials, mapped internal systems, and maintained long-term access. As a result, victims often remained unaware of the intrusion for extended periods.

The attackers also demonstrated strong knowledge of cloud infrastructure. They exploited misconfigured identity and access management settings to escalate privileges. In several cases, they used legitimate administrative tools to blend in with normal activity. Consequently, traditional security monitoring struggled to distinguish malicious actions from routine operations.

Amazon stated that the campaign aligns with known GRU tactics, techniques, and procedures. These include long-term intelligence collection, targeting of strategic sectors, and careful operational security. Energy infrastructure remains a high-priority target due to its importance to national security and economic stability.

Security experts warn that this disclosure highlights ongoing risks to both critical infrastructure and cloud platforms. Many organizations continue to expose management interfaces or over-permission cloud identities. Therefore, attackers with sufficient patience can exploit these weaknesses over time.

Amazon recommends strengthening identity controls, enforcing least-privilege access, and monitoring for unusual cloud activity. Organizations should also review historical logs to identify signs of long-term compromise. Without these measures, advanced threat actors will continue to operate undetected.

Overall, the findings reinforce a key reality. Nation-state cyber campaigns do not rely on single attacks. Instead, they succeed through persistence, stealth, and exploitation of overlooked security gaps.