Amazon on Friday said it disrupted an intel-gathering operation by Russia’s APT29, also known as Cozy Bear and Midnght Blizzard, that aimed to trick Microsoft users into granting access to their accounts and data. The company stressed that no AWS systems were compromised and there was no impact on AWS services or infrastructure.
APT29 has long been linked to Russia’s Foreign Intelligence Service (SVR) by the United States, the United Kingdom and other governments and security researchers. The group has shown a growing focus on Microsoft data and user credentials in recent years, according to Amazon’s security review of the operation.
The attackers conducted a watering-hole campaign, compromising legitimate websites and injecting malicious JavaScript that redirected about 10 percent of visitors to attacker-controlled domains. The domains included findcloudflare[.]com and cloudflare[.]redirectpartners[.]com, which were designed to resemble legitimate Cloudflare verification pages. The objective was to prompt users attempting to sign in to Microsoft accounts to enter an APT29-generated device code on a spoofed page, thereby authorizing attacker-controlled devices and granting access to victims’ accounts and data.
“This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts,” AWS Chief Information Security Officer CJ Moses said in a Friday blog post. He added that no AWS systems were compromised, nor was there any direct impact on AWS services or infrastructure.
AWS also analyzed the code to identify the methods used to evade detection, including randomization to limit the reach of redirects, base64-encoded payloads, cookies to prevent repeated redirects of the same visitor, and pivots to new infrastructure when blocks were encountered.
Neither Amazon nor Microsoft immediately responded to requests for comment about the campaign’s size, whether it targeted specific industries, or whether it remained ongoing.
The incident follows a similar October 2024 effort by the same group, which sought to lure users with domains impersonating AWS and Microsoft to deliver Remote Desktop Protocol files to actor-controlled resources; AWS described the incident in a post that can be read here, noting the campaigns targeted governments, NGOs, academia and defense organizations.
Google’s Threat Intelligence Group has also documented APT29 phishing activity, including campaigns aimed at academics and critics of Russia that used application-specific passwords, per a post on Google Cloud’s Threat Intelligence blog.