Amazon’s Warning: The New Reality of Initial Access
Exploits. Malware. Zero-days. Phishing.
But Amazon just showed us something far more unsettling.
In December 2025, Amazon released two security disclosures in the same week that, taken together, reveal a fundamental shift in how modern attackers operate. One involved a North Korean IT worker who gained administrative access through a third-party contractor. The other detailed a years-long Russian state-sponsored campaign that moved away from vulnerability exploitation and instead abused misconfigured edge devices and trusted infrastructure.
Neither case was loud. Neither relied on flashy exploits. And neither looked obviously malicious at first glance.
Instead, they shared a common theme: attackers are no longer breaking trust — they’re borrowing it.
Two Stories, One Pattern
At first glance, Amazon’s disclosures seemed unrelated.
The first story made headlines because of its novelty: Amazon detected a North Korean IT worker embedded inside its environment by measuring keyboard latency. The individual had entered through a third-party contractor and was performing legitimate sysadmin work — sometimes effectively — while operating from overseas via a “laptop farm.”
As discussed on the Cyberside Chats podcast, this wasn’t a failure of traditional malware detection. As Sherri Davidoff put it:
“They didn’t find malware. They found that reality didn’t line up with the story.”
The second disclosure came from Amazon Threat Intelligence and described a sustained Russian espionage campaign targeting Western critical infrastructure. Over several years, the attackers gradually shifted tactics. By 2025, Amazon observed a decline in vulnerability exploitation and a corresponding rise in attacks that abused misconfigured network edge devices, harvesting credentials and replaying them into cloud and SaaS environments.
As Matt Durrin noted during the podcast:
“They stopped going after CVEs and just started going after the way we configured things.”
Different attackers. Different entry points. Same outcome.
Initial Access That Looks Normal
What makes these cases especially dangerous is how unremarkable they appear.
In the North Korean worker case:
- Credentials were valid
- Access was authorized
- Behavior mostly aligned with the role
In the Russian campaign:
- Infrastructure was legitimate
- IP space was trusted
- Authentication often succeeded
There was no obvious “break-in.”
This is why Amazon’s disclosures matter so much. They show that initial access now often looks legitimate, which fundamentally changes how defenders must think about detection and prevention.
Human Infrastructure Is Now Part of the Attack Surface
The North Korean IT worker case highlights a growing blind spot: people and hiring pipelines are now attack vectors.
Amazon did not directly hire the worker. The individual came through a third-party contractor — a common practice across the tech industry. That detail matters, because many organizations assume vendor hiring processes are “good enough” without verifying how identity, location, and authenticity are validated.
As discussed in the podcast, this isn’t limited to nation-states. Cybercriminal groups and insider threats increasingly exploit remote work norms, contractor relationships, and distributed hiring models.
Background reporting has shown how U.S.-based facilitators help North Korean workers masquerade as domestic employees.
This is why LMG Security encourages organizations to treat hiring and contractor onboarding as part of their broader security program — not just an HR function.
Technical Infrastructure Can Be Impersonated Too
The Russian campaign reinforces the same lesson at the technical layer.
Amazon observed attackers compromising edge devices — firewalls, VPN appliances, and externally exposed services — often due to weak configurations or exposed management interfaces. Once compromised, those devices became trusted footholds.
Amazon described this directly as attackers using a “compromised legitimate server to proxy threat actor traffic.”
Technical reporting on the DPRK case illustrates just how subtle these indicators can be. Even a roughly 110-millisecond keystroke delay was enough to raise red flags.
Why MFA and Hardening Still Matter — Everywhere
One of the clearest takeaways from the episode was the renewed importance of strong, enforced MFA and endpoint hardening.
Attackers will steal credentials. That assumption is no longer controversial. What matters is whether those credentials can be used to gain meaningful access.
As emphasized on the podcast:
- MFA must be enforced on network edge devices
- MFA must protect cloud consoles and SaaS admin portals
- MFA must apply to internal administrative access, not just external logins
Endpoint and application hardening also remain essential. Many of the Russian attacks exploited default or weak configurations in software pulled directly from cloud marketplaces — tools that “worked” but were never fully secured.
A deployment isn’t finished when it functions. It’s finished when it’s hardened.
Detection Has to Change
Perhaps the most important lesson from Amazon’s disclosures is how detection needs to evolve.
For years, security teams looked for known bad indicators, malware signatures, and exploit telemetry.
In both Amazon cases, detection succeeded because defenders looked for what didn’t make sense:
- Unexpected latency
- Behavioral mismatches
- Access patterns that didn’t align with role or geography
As summarized during the episode:
“We have to look for behavior that is out of place — not just malicious.”
What Security Leaders Should Do Now
Amazon’s message is not that defenses are failing — it’s that assumptions need updating.
Going into 2026, organizations should:
- Re-evaluate trust in hiring and contractors
- Harden and monitor edge devices aggressively
- Enforce strong MFA everywhere credentials matter
- Secure endpoints and applications beyond default settings
- Shift detection toward behavioral mismatch and contextual risk
These are not theoretical risks. As Amazon’s disclosures show, they’re already being exploited at scale.
A Practical Next Step
At LMG Security, we work with organizations facing exactly these challenges — from contractor risk and identity controls to cloud hardening, tabletop exercises, and detection strategy reviews. If your team is rethinking how trust, access, and identity really work in today’s threat landscape, services like security program assessments, virtual CISO support, and incident readiness tabletop exercises can help identify gaps before attackers do.
Amazon’s warning is clear: modern attacks don’t always break in. Sometimes, they simply belong.
