Amazon Strikes Again: Disrupts APT29's Microsoft Targeting Campaign
Amazon has disrupted yet another cyber operation by the notorious APT29 hacking group, this time targeting Microsoft's device code authentication flow. The campaign, carried out by the SVR-linked group, compromised legitimate websites and redirected visitors to malicious infrastructure.
In August, Amazon took down a watering hole campaign set up by APT29, which compromised legitimate sites and redirected around 10% of visitors to Russian-controlled domains, including findcloudflare[.]com. The group later attempted to use phishing domains impersonating AWS in October 2024, which was also disrupted by Amazon.
The U.S. Department of Justice and the FBI previously seized domains abused by APT29 in a 2021 spear-phishing campaign. After Amazon's disruption of their watering hole attack, APT29 continued their operation on Microsoft 365. Meanwhile, Google's threat intelligence team uncovered another phishing campaign by APT29 in June, targeting academics and critics of Russia.
APT29, also known as BlueBravo and Cozy Bear, has a history of high-profile hacks, including the 2020 SolarWinds incident and the 2016 attack on the Democratic National Committee. Amazon's disruption of their latest campaign highlights the ongoing efforts by tech giants to combat cyber threats. Microsoft and Google have also played significant roles in uncovering and countering APT29's activities.
