Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

AWS Disrupts Russian Cozy Bear's Sophisticated Phishing Campaign Targeting Microsoft Credentials


AWS has disrupted an intelligence-gathering attempt by Russia's APT29 to trick Microsoft users into granting access to their accounts and data, highlighting the ongoing threat posed by sophisticated nation-state actors in the realm of cybersecurity.

  • APT29 (Cozy Bear and Midnight Blizzard) attempted to trick Microsoft users into granting access to their accounts and data through a watering hole campaign.
  • The attackers compromised legitimate websites, injecting malicious JavaScript code that redirected about 10% of visitors to actor-controlled domains.
  • The goal was to trick users into entering an APT29-generated device code, authorizing attacker-controlled devices and gaining access to Microsoft accounts and data.
  • APT29 has been linked to Russia's Foreign Intelligence Service (SVR) by the US, UK, and other governments and security researchers.
  • The operation highlights the importance of robust cybersecurity measures for organizations and individuals alike in protecting against nation-state threats.



    • Amazon Web Services (AWS) has recently disrupted an intelligence-gathering attempt by Russia's APT29, also known as Cozy Bear and Midnight Blizzard, to trick Microsoft users into unwittingly granting the Kremlin-backed cyberspies access to their accounts and data. This latest operation highlights the ongoing threat posed by sophisticated nation-state actors in the realm of cybersecurity.

    According to Amazon's Chief Information Security Officer, CJ Moses, this opportunistic approach illustrates APT29's continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts. The attackers compromised legitimate websites and injected malicious JavaScript code that redirected about 10 percent of visitors to actor-controlled domains. These domains included findcloudflare[.]com and cloudflare[.]redirectpartners[.]com, which were intended to mimic legit Cloudflare verification pages.

    The goal of this watering hole campaign was to trick people trying to log into their Microsoft accounts into entering an APT29-generated device code into the sign-in page, thus authorizing attacker-controlled devices and ultimately granting the Russian spies access to the victims' Microsoft accounts and data. This tactic is reminiscent of previous attempts by APT29, including a similar attempt in October 2024, where they attempted to use domains impersonating AWS and Microsoft to phish users with Remote Desktop Protocol files pointed to actor-controlled resources.

    Microsoft has long been a target for Russian-backed cyberspies, particularly APT29. The US, UK, and other governments and security researchers have widely linked APT29 to Russia's Foreign Intelligence Service (SVR). This latest operation serves as a reminder of the ongoing threat posed by sophisticated nation-state actors in the realm of cybersecurity.

    Amazon also analyzed the code used by APT29 to find the methods they employed to evade detection. These included using randomization to only redirect a small percentage of visitors, employing base64 encoding to hide malicious code, setting cookies to prevent repeated redirects of the same visitor, and then pivoting to new infrastructure when blocked. Neither Amazon nor Microsoft immediately responded to The Register's inquiries about the size of this campaign, whether it targeted specific groups or industry sectors, and if it remained ongoing.

    The use of sophisticated tactics by APT29 underscores the importance of robust cybersecurity measures for organizations and individuals alike. As nation-state actors continue to evolve and adapt their tactics, it is crucial that we remain vigilant and take proactive steps to protect ourselves from these threats. The incident highlights the need for continuous vigilance in the fight against cyber threats.

    In conclusion, this operation serves as a reminder of the ongoing threat posed by sophisticated nation-state actors in the realm of cybersecurity. It underscores the importance of robust cybersecurity measures and the need for continuous vigilance in protecting ourselves and our organizations from these threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/AWS-Disrupts-Russian-Cozy-Bears-Sophisticated-Phishing-Campaign-Targeting-Microsoft-Credentials-ehn.shtml

  • https://go.theregister.com/feed/www.theregister.com/2025/08/29/aws_catches_russias_apt29_trying/

  • https://www.theregister.com/2025/08/29/aws_catches_russias_apt29_trying/

  • https://hackread.com/russian-cozy-bear-hackers-phish-microsoft-aws-lures/

  • https://en.wikipedia.org/wiki/Cozy_Bear

  • https://arstechnica.com/security/2024/01/the-life-and-times-of-cozy-bear-the-russian-hackers-who-just-hit-microsoft-and-hpe/

  • https://www.picussecurity.com/resource/blog/apt29-cozy-bear-evolution-techniques

  • https://securityaffairs.com/158097/security/midnight-blizzard-hacked-hpe.html

  • https://www.quorumcyber.com/threat-actors/midnight-blizzard-threat-actor-profile/


    • Published: Fri Aug 29 12:52:05 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us