Amazon researchers this month disrupted the latest campaign by Russian-linked threat group APT29 to steal Microsoft user credentials in what the cloud giant’s top security official said “illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts.”

Amazon’s threat intelligence team detected what they said was an opportunistic watering hole campaign that aimed to trick users through compromised websites into authorizing devices controlled by the APT29 attackers via Microsoft’s device code authentication flow. The attackers used the compromised websites to redirect users to their malicious infrastructure.

Threat researchers with Amazon had created an analytic tool for APT29 infrastructure, which in this case discovered the threat group-controlled domain names.

“Through further investigation, Amazon identified the actor compromised various legitimate websites and injected JavaScript that redirected approximately 10% of visitors to these actor-controlled domains,” CJ Moses, Amazon’s CISO and vice president of security engineering, wrote in a blog post, adding that the domains included findcloudflare[.]com, which mimicked Cloudflare’s verification pages to appear legitimate. “The campaign’s ultimate target was Microsoft’s device code authentication flow. There was no compromise of AWS [Amazon Web Services] systems, nor was there a direct impact observed on AWS services or infrastructure.”

The malicious code used randomization to redirect a small percentage of visitors to the malicious infrastructure, employed base64 encoding to hide the malicious code, and set cookies to ensure that the same visitor wouldn’t be redirected more than once.

When APT29’s efforts were blocked, the group pivoted to a new infrastructure, according to Moses.

Chasing the Threat Group

APT29 – a threat group with ties to Russia’s Foreign Intelligence Service (SVR) that also goes by many other names, including Midnight Blizzard and Cozy Bear – used AWS EC2 instances to run the watering hole campaign. When the campaign was discovered, Amazon isolated the affected instances, worked with Cloudflare and another to disrupt the threat group’s domains, and alerted Microsoft to the attack.

“Despite the actor’s attempts to migrate to new infrastructure, including a move off AWS to another cloud provider, our team continued tracking and disrupting their operations,” Moses wrote. “After our intervention, we observed the actor register additional domains such as cloudflare[.]redirectpartners[.]com, which again attempted to lure victims into Microsoft device code authentication workflows.”

A Trail of High-Profile Attacks

APT29 emerged in the last decade, running a range of cyberespionage operations in the United States and elsewhere. The group breached U.S. government email systems in 2014, infiltrated the networks of the Democratic National Committee (DNC) in 2016, and targeted COVID-19 vaccine makers starting in 2020, during the pandemic.

It also was behind the massive breach and supply chain attack against software maker SolarWinds in in 2020. In April, Check Point researchers said APT29 was using fake wine-tasting invitations in a phishing campaign targeting European diplomats.

In recent attacks, the threat group has shown an interest in collecting Microsoft data and credentials, including hacking into the IT vendor’s corporate email accounts in early 2024. Late last year, the group used the Remote Desktop Protocol (RDP) and phishing emails in attacks against governments, research groups, and other organizations. Amazon disrupted the campaign, which used domains impersonating AWS for its phishing messages.

This year, APT29 reportedly was targeting organizations with ties to Ukraine in an effort to get unauthorized access into Microsoft 365 accounts.

Adapting and Evolving

“When it comes to cyber espionage, few threat actors have made a name for themselves and are as infamous as Cozy Bear, aka APT29,” threat researchers with Picus Security wrote late last year. “Cozy Bear has been at the forefront of major cyber incidents and has demonstrated remarkable persistence, adaptability, and technical prowess over the years.”

They noted that APT29 targets organizations for cyberespionage, adding that its motivation is to gather intelligence that will aid Russia’s national interests. The researchers also said that the threat group has been able to adapt and evolve its capabilities over the years, starting with its phishing campaigns.

In 2020, Cozy Bear expanded its operation to corporate espionage and supply chain attacks, reflecting a shift from targeted attacks to widespread, multi-vector campaigns,” they wrote. “The group has increasingly employed advanced tactics, including leveraging zero-day vulnerabilities and using sophisticated malware to evade detection. This shows their continuous investment in offensive capabilities and a broader, more strategic approach to cyber operations.”