Amazon Web Services (AWS), Amazon’s cloud web hosting platform which provides online services to millions of customers, has confirmed that Russian state actors have been attacking misconfigured customer edge devices for the past five years, according to a new update from the company.

Earlier this week, Amazon Threat Intelligence shared an update on the AWS website that detailed the years-long attack by a Russian cyber threat group. Amazon’s team dissected the attack and discovered a link to a threat actor known as Sandworm, which is associated with Russia’s GRU military intelligence agency.

Amazon’s telemetry reveals coordinated operations against customer network edge devices hosted on AWS. This was not due to a weakness in AWS, according to Amazon, but appear to be customer misconfigured devices. 

“The campaign demonstrates sustained focus on Western critical infrastructure, particularly the energy sector, with operations spanning 2021 through the present day,” CJ Moses of Amazon Threat Intelligence said in the post.

According to Amazon, the attack focused on “energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and organizations with cloud-hosted network infrastructure.” Amazon says the campaign targeted “‘low-hanging fruit’ of likely misconfigured customer devices,” which likely enabled the attacks to continue on for so long.

Moses says that this attack “represents a significant evolution in critical infrastructure targeting” and calls it a “tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined.”

Basically, according to Amazon, there isn’t any AWS exploit to patch as bad actors are weaponizing misconfigured devices on the end of AWS’ customers. Amazon says it has notified affected customers. Going into the new year, Amazon is urging its customers to monitor and audit network devices and remain vigilant as attacks are ongoing.

UPDATE: Dec. 19, 2025, 5:54 p.m. EST This post has been updated throughout to make it clear that AWS was not a victim in this attack and the coordinated operation did not occur due to a weakness in AWS. It appears to be customer misconfigured devices.