APT44 shifts tactics, exploits edge devices across critical infrastructure

Threat summary

On December 15, Amazon Threat Intelligence released a report detailing that a Russian state-sponsored threat group targeting Western critical infrastructure has shifted tactics to increasingly exploit misconfigured network edge devices.

The multi-year campaign is attributed to an advanced persistent threat (APT) linked to Russia’s Main Intelligence Directorate (GRU), known as APT44, Sandworm, Seashell Blizzard, and Voodoo Bear.

Active since at least 2021, APT44 has primarily targeted energy providers, telecommunications companies, and organizations with cloud‑hosted infrastructure across North America and Europe.

Between 2021 and 2024, APT44 was observed exploiting known vulnerabilities in WatchGuard Firebox appliances, Atlassian Confluence servers, and Veeam Backup & Replication systems. But in 2025, the group moved away from mostly software exploitation toward compromising misconfigured customer network edge devices such as enterprise routers, VPN concentrators, and remote access gateways.

These compromises relied on exposed management interfaces to gain initial access, followed by credential harvesting and replay attacks to move laterally into cloud‑hosted environments. This approach reduced reliance on zero‑day or N‑day vulnerabilities while maintaining operational effectiveness.

APT44 has a long history of leveraging techniques to gain visibility into network communications, such as deploying malware or exploiting devices to monitor traffic flows, authentication attempts, and user activity. This aligns with the group's broader objective of maintaining persistent access and enabling disruptive operations.

Insights & mitigations

Network edge devices, positioned between internal networks and external services, give threat actors a privileged gateway into authentication traffic. Once compromised, these devices allow adversaries to observe, capture, or manipulate login flows without breaching individual endpoints.

By compromising edge devices across many organizations, Sandworm can intercept authentication traffic on a large scale. This tactic provides broad visibility into organizational credentials used for cloud services, collaboration platforms, and backup systems.

The tactic allows the threat group to stay hidden for long periods and apply the same method across different victims, leading to widespread credential theft and potential disruption of critical infrastructure.

Mitigations focus on reducing exposure of edge devices and monitoring for credential misuse:

• Restrict or remove exposed management interfaces on routers, VPN concentrators, and gateways, placing administrative access behind secure management networks.
• Enforce strong multi‑factor authentication for all remote access services to limit the impact of intercepted credentials.
• Separate management networks from user traffic to reduce interception opportunities, and rotate credentials regularly while monitoring for reuse across services.

Sandworm’s use of compromised edge devices to intercept credentials takes advantage of gaps in traditional monitoring. Field Effect MDR closes these gaps by correlating endpoint, network, and cloud telemetry to identify credential misuse and actively disrupt adversarial activity—making it a vital capability for managed service providers managing complex client environments and for organizations safeguarding critical infrastructure.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up