APT44 (Sandworm) Shifts Tactics: Targeting Misconfigured Network Edge Devices for Persistent Access

Researchers from Amazon Threat Intelligence have documented a tactical evolution by APT44 (Sandworm), the Russian GRU-linked threat group. Departing from their traditional reliance on software vulnerability exploitation, APT44 is now targeting misconfigured network edge devices—including routers, VPN appliances, and other perimeter network equipment—to establish persistent access within targeted networks. This shift was observed in campaigns primarily targeting the energy sector, telecommunications providers, and managed service providers (MSPs), with the latter serving as potential gateways to multiple downstream victims. The technical implications of this tactical adjustment are significant. Network edge devices often operate with elevated privileges and may lack the same level of security monitoring as internal systems. By exploiting misconfigurations rather than known vulnerabilities, APT44 reduces the likelihood of detection through traditional signature-based defenses. This approach also suggests a focus on operational security, as misconfiguration-based access may blend more easily with legitimate network traffic. For cybersecurity practitioners, this development reinforces the critical importance of comprehensive asset inventories and rigorous configuration management. Organizations in high-risk sectors should prioritize audits of perimeter devices, with particular attention to default credentials, unnecessary open ports, and improper access controls. Network segmentation and least-privilege principles can further limit the impact of such compromises. Managed service providers, given their role as potential force multipliers for attackers, must adopt heightened monitoring and access control measures to prevent supply chain compromises. The absence of specific technical indicators (e.g., CVEs, custom tools) in the reporting underscores the challenge of detecting and attributing these activities. However, the pattern aligns with broader trends in state-sponsored operations, where adversaries increasingly favor stealth and persistence over high-visibility exploits. This evolution necessitates a corresponding shift in defensive postures, with greater emphasis on anomaly detection and continuous monitoring of network edge devices.