Leveraging compromised websites and exploiting Microsoft’s device code authentication flow, the campaign sought to harvest credentials and expand the group’s global intelligence collection efforts.
The latest campaign marks a notable evolution in APT29’s tactics.
After being thwarted by Amazon in October 2024, when the hackers impersonated AWS domains to deliver Remote Desktop Protocol (RDP) phishing files, and by Google in June 2025 for launching targeted application-specific password (ASP) phishing against academics and political critics, the group has now shifted to watering hole attacks.
In these scenarios, attackers injected obfuscated JavaScript into legitimate websites, redirecting a targeted portion approximately 10% of visitors to malicious lookalike domains, such as findcloudflare[.]com, which mimicked Cloudflare verification pages.
Technical analysis of the campaign revealed several advanced evasion tricks:
The operation’s ultimate goal was to trick users into completing the Microsoft device code authentication process, letting attackers authorize their own devices on victims’ accounts.
Despite the advanced tradecraft, Amazon’s analytics flagged APT29-controlled infrastructure, leading to the disruption of their campaign.
Amazon moved rapidly to isolate the affected AWS systems, notified partners such as Cloudflare and Microsoft, and helped dismantle the domains and cloud resources used in the attacks.
After being blocked on AWS, APT29 attempted to switch to additional domains, including Cloudflare [.]redirectpartners[.]com, to continue their credential-stealing operations. However, continued monitoring and cross-industry collaboration allowed further containment of the threat.
Amazon urges vigilance against suspicious redirect chains, especially those disguised as security checks.
Both individuals and IT administrators should verify the legitimacy of device authentication requests, enable multi-factor authentication (MFA) across all accounts, and be cautious of prompts to execute unknown commands, especially those appearing in the Windows Run dialog, a tactic linked to the growing “ClickFix” attack technique.
Administrators should follow Microsoft’s recommendations by restricting device authentication flows, enforcing conditional access based on device and location, and monitoring new device authorizations.
Key indicators of compromise from the campaign include the domains findcloudflare[.]com and cloudflare[.]redirectpartners[.]com.
Amazon’s swift, coordinated response is a reminder of the need for continued vigilance and cooperation as threat actors refine their techniques and expand their reach.
Amazon’s threat intelligence team has recently disrupted a sophisticated watering hole campaign orchestrated by APT29, the infamous Russian state-linked hacking group also known as Midnight Blizzard.
Leveraging compromised websites and exploiting Microsoft’s device code authentication flow, the campaign sought to harvest credentials and expand the group’s global intelligence collection efforts.
The latest campaign marks a notable evolution in APT29’s tactics.
After being thwarted by Amazon in October 2024, when the hackers impersonated AWS domains to deliver Remote Desktop Protocol (RDP) phishing files, and by Google in June 2025 for launching targeted application-specific password (ASP) phishing against academics and political critics, the group has now shifted to watering hole attacks.
In these scenarios, attackers injected obfuscated JavaScript into legitimate websites, redirecting a targeted portion of approximately 10% of visitors to malicious lookalike domains, such as findcloudflare[.]com, which mimicked Cloudflare verification pages.
Technical analysis of the campaign revealed several advanced evasion tricks:
The operation’s ultimate goal was to trick users into completing the Microsoft device code authentication process, letting attackers authorize their own devices on victims’ accounts.
Despite the advanced tradecraft, Amazon’s analytics flagged APT29-controlled infrastructure, leading to the disruption of their campaign.
Amazon moved rapidly to isolate the affected AWS systems, notified partners such as Cloudflare and Microsoft, and helped dismantle the domains and cloud resources used in the attacks.
After being blocked on AWS, APT29 attempted to switch to additional domains, including Cloudflare [.]redirectpartners[.]com, to continue their credential-stealing operations. However, continued monitoring and cross-industry collaboration allowed further containment of the threat.
Amazon urges vigilance against suspicious redirect chains, especially those disguised as security checks.
Both individuals and IT administrators should verify the legitimacy of device authentication requests, enable multi-factor authentication (MFA) across all accounts, and be cautious of prompts to execute unknown commands, especially those appearing in the Windows Run dialog, a tactic linked to the growing “ClickFix” attack technique.
Administrators should follow Microsoft’s recommendations by restricting device authentication flows, enforcing conditional access based on device and location, and monitoring new device authorizations.
Key indicators of compromise from the campaign include the domains findcloudflare[.]com and cloudflare[.]redirectpartners[.]com.
Amazon’s swift, coordinated response is a reminder of the need for continued vigilance and cooperation as threat actors refine their techniques and expand their reach.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Amazon Strikes Back – Takedown of Russia’s APT29 Hacking Network Protects Users appeared first on Cyber Security News.
March 16, 2026 All three new food and beverage options at Cherapa Place now are…
March 16, 2026 Vacancy in the Sioux Falls multifamily market ticked up to start the…
Reviewed: On Antisemitism: A Word in HistoryMark MazowerPenguin Press, $29 In April 2024, six months…
RadiusTech.xyz – Cloudflare customer – (United States) Forward-looking developers use .xyz domains to build AI…
The first globe—a spherical representation of our planet Earth—dates back to the Age of Discovery.…
The New Jersey Motion Picture and Television Commission announced Tuesday that 15 towns joined the…
This website uses cookies.