AWS catches Russia's Cozy Bear clawing at Microsoft credentials
(2025/08/29)
- Reference: 1756487827
- News link: https://www.theregister.co.uk/2025/08/29/aws_catches_russias_apt29_trying/
- Source link:
Amazon today said it disrupted an intel-gathering attempt by Russia's APT29 to trick Microsoft users into unwittingly granting the Kremlin-backed cyberspies access to their accounts and data.
APT29, also known as Cozy Bear and Midnght Blizzard, is probably best known for the [1]2020 SolarWinds hack , and has been widely linked to Russia's Foreign Intelligence Service (SVR) by the US, UK, and other governments and security researchers. And this particular bear has developed a [2]taste for Microsoft data and user credentials over the years.
In its most recent [3]watering hole campaign , the attackers compromised legitimate websites and injected malicious JavaScript code that redirected about 10 percent of visitors to actor-controlled domains.
[4]
The domains included findcloudflare[.]com and cloudflare[.]redirectpartners[.]com, which were intended to mimic legit Cloudflare verification pages. The goal was to trick people trying to log into their Microsoft accounts into entering an APT29-generated device code into the sign-in page, thus authorizing attacker-controlled devices and ultimately granting the Russian spies access to the victims' Microsoft accounts and data.
[5]
[6]
"This opportunistic approach illustrates APT29's continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts," Amazon's Chief Information Security Officer CJ Moses said in a Friday blog post.
Moses added that no AWS systems were compromised, nor was there any direct impact on AWS services or infrastructure.
[7]Russian spies use remote desktop protocol files in unusual mass phishing drive
[8]What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits
[9]TeamViewer says Russia broke into its corp IT network
[10]Microsoft confirms Russian spies stole source code, accessed internal systems
AWS also analyzed the code to find the methods APT29 used to evade detection. These included using randomization to only redirect a small percentage of visitors, employing base64 encoding to hide malicious code, setting cookies to prevent repeated redirects of the same visitor, and then pivoting to new infrastructure when blocked.
Neither Amazon nor Microsoft immediately responded to The Register 's inquiries about the size of this campaign, whether it targeted specific groups or industry sectors, and if it remained ongoing.
[11]
It follows a similar attempt by the same Russian spy crew from October 2024, during which they attempted to use domains [12]impersonating AWS and [13]Microsoft to phish users with Remote Desktop Protocol files pointed to actor-controlled resources. These attacks, according to Microsoft, targeted governments, NGOs, academia, and defense organizations.
Earlier this summer, Google's Threat Intelligence Group [14]documented APT29's phishing campaigns also targeting academics and critics of Russia using application-specific passwords. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2021/04/15/solarwinds_hack_russia_apt29_positive_technologies_sanctions
[2] https://www.theregister.com/2024/03/08/microsoft_confirms_russian_spies_stole/
[3] https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLIi9b6Z1kHBdbAQgqyqwAAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLIi9b6Z1kHBdbAQgqyqwAAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLIi9b6Z1kHBdbAQgqyqwAAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/10/30/russia_wrangles_rdp_files_in/
[8] https://www.theregister.com/2024/08/29/commercial_spyware_russia_mongolia/
[9] https://www.theregister.com/2024/06/28/teamviewer_russia/
[10] https://www.theregister.com/2024/03/08/microsoft_confirms_russian_spies_stole/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLIi9b6Z1kHBdbAQgqyqwAAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/
[13] https://www.theregister.com/2024/10/30/russia_wrangles_rdp_files_in/
[14] https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
[15] https://whitepapers.theregister.com/
APT29, also known as Cozy Bear and Midnght Blizzard, is probably best known for the [1]2020 SolarWinds hack , and has been widely linked to Russia's Foreign Intelligence Service (SVR) by the US, UK, and other governments and security researchers. And this particular bear has developed a [2]taste for Microsoft data and user credentials over the years.
In its most recent [3]watering hole campaign , the attackers compromised legitimate websites and injected malicious JavaScript code that redirected about 10 percent of visitors to actor-controlled domains.
[4]
The domains included findcloudflare[.]com and cloudflare[.]redirectpartners[.]com, which were intended to mimic legit Cloudflare verification pages. The goal was to trick people trying to log into their Microsoft accounts into entering an APT29-generated device code into the sign-in page, thus authorizing attacker-controlled devices and ultimately granting the Russian spies access to the victims' Microsoft accounts and data.
[5]
[6]
"This opportunistic approach illustrates APT29's continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts," Amazon's Chief Information Security Officer CJ Moses said in a Friday blog post.
Moses added that no AWS systems were compromised, nor was there any direct impact on AWS services or infrastructure.
[7]Russian spies use remote desktop protocol files in unusual mass phishing drive
[8]What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits
[9]TeamViewer says Russia broke into its corp IT network
[10]Microsoft confirms Russian spies stole source code, accessed internal systems
AWS also analyzed the code to find the methods APT29 used to evade detection. These included using randomization to only redirect a small percentage of visitors, employing base64 encoding to hide malicious code, setting cookies to prevent repeated redirects of the same visitor, and then pivoting to new infrastructure when blocked.
Neither Amazon nor Microsoft immediately responded to The Register 's inquiries about the size of this campaign, whether it targeted specific groups or industry sectors, and if it remained ongoing.
[11]
It follows a similar attempt by the same Russian spy crew from October 2024, during which they attempted to use domains [12]impersonating AWS and [13]Microsoft to phish users with Remote Desktop Protocol files pointed to actor-controlled resources. These attacks, according to Microsoft, targeted governments, NGOs, academia, and defense organizations.
Earlier this summer, Google's Threat Intelligence Group [14]documented APT29's phishing campaigns also targeting academics and critics of Russia using application-specific passwords. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2021/04/15/solarwinds_hack_russia_apt29_positive_technologies_sanctions
[2] https://www.theregister.com/2024/03/08/microsoft_confirms_russian_spies_stole/
[3] https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLIi9b6Z1kHBdbAQgqyqwAAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLIi9b6Z1kHBdbAQgqyqwAAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLIi9b6Z1kHBdbAQgqyqwAAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/10/30/russia_wrangles_rdp_files_in/
[8] https://www.theregister.com/2024/08/29/commercial_spyware_russia_mongolia/
[9] https://www.theregister.com/2024/06/28/teamviewer_russia/
[10] https://www.theregister.com/2024/03/08/microsoft_confirms_russian_spies_stole/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLIi9b6Z1kHBdbAQgqyqwAAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/
[13] https://www.theregister.com/2024/10/30/russia_wrangles_rdp_files_in/
[14] https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
[15] https://whitepapers.theregister.com/
Re: what difference does it make nowadays
Like a badger
Erm...if it ends up in Trumpistan some shitbag corporation will try and use the data to sell you something, if it ends up in Putinstan some state sponsored scrote will try and extort or defraud a lot of money out of you, and if it ends up Xistan (Xiistan?) then it'll be held and analysed for some future purpose (unless you're of Chinese heritage, then you'll simply be blackmailed).
what difference does it make nowadays
"Amazon today said it disrupted an intel-gathering attempt to trick Microsoft users into knowingly granting the Whitehouse-backed cyberspies access to their accounts and data."
whether your data ends up in Putinistan, Xistan or Trumpistan?