Amazon’s Threat Intelligence team has disrupted ongoing operations linked to Russian GRU hackers who have been targeting cloud infrastructure, particularly in the energy sector, since 2021. Initially, these hackers exploited a range of vulnerabilities in platforms like WatchGuard and Confluence. However, they've recently shifted tactics, focusing less on these vulnerabilities and more on misconfigured edge devices such as enterprise routers and VPN gateways. According to CJ Moses, Amazon's CISO, this tactical evolution allows the threat actors to maintain persistent access to critical networks while minimizing exposure and resource use. Evidence suggests that the hackers, possibly associated with the Curly COMrades group, used passive packet capturing to extract credentials from compromised devices on AWS EC2 instances. Amazon has taken steps to secure these instances and has alerted affected customers. They also shared intelligence with industry partners to mitigate the threat. Importantly, Amazon warned against blocking identified IP addresses without investigating further, as those servers may have been legitimately compromised. To counter these threats, Amazon recommends immediate actions such as auditing network devices, monitoring for credential misuse, and isolating management interfaces in AWS environments. They emphasize the need for tighter security measures, including enabling tools like CloudTrail and GuardDuty to enhance visibility and response capabilities.