Amazon Thwarts Sophisticated APT29 Cyber Attack on Microsoft
Amazon has thwarted a sophisticated cyber attack by APT29, a notorious Russian hacking group also known as BlueBravo and Cozy Bear. The group, attributed to Russia's Foreign Intelligence Service (SVR), attempted to compromise Microsoft's device code authentication flow. The campaign began with APT29 registering new domains and migrating to another cloud provider after previous domains were seized by the U.S. Department of Justice and the FBI. Amazon's threat intelligence team discovered the activity and identified actor-controlled domain names and compromised websites with malicious JavaScript code. The hackers redirected about 10% of visitors to malicious sites to Russian-controlled domains, including findcloudflare[.]com, designed to mimic Cloudflare verification pages. The ultimate goal was to target Microsoft's device code authentication flow. Amazon disrupted the operation by isolating affected EC2 instances, collaborating with providers to disrupt APT29's domains, and sharing information with Microsoft. This watering hole campaign is another example of Russia's focus on credential harvesting and intelligence collection. APT29, one of the most prolific hacking operations from Russia, has been responsible for several high-profile hacks, including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee. Amazon's successful disruption of this campaign highlights the importance of robust cybersecurity measures and international cooperation in countering state-sponsored cyber threats.
