Amazon Disrupts Russian APT29 Watering Hole Targeting Microsoft Authentication

Amazon has disrupted a Russian APT29 watering hole campaign that used compromised sites to target Microsoft authentication with malicious redirects.

Amazon’s security team has identified and disrupted a new campaign by APT29, also tracked as Midnight Blizzard, a threat group linked to Russia’s Foreign Intelligence Service (SVR). This time, the group had set up a watering hole campaign, planting malicious code on legitimate websites to redirect unsuspecting visitors toward attacker-controlled infrastructure.

From there, the attackers tried to trick people into approving unauthorised devices through Microsoft’s device code authentication system, a technique that could have given them access to sensitive accounts.

For your information, “Waterholing” or watering hole is a type of cyberattack where malicious actors compromise a website or online platform frequently visited by a specific target group, intending to infect their computers with malware when they visit.

It is worth noting that in the past, APT29 relied on phishing campaigns like fake AWS domains or application-specific password attacks targeting academics and critics of Russia. Now they are using compromised sites to redirect visitors to malicious sites.

According to Amazon’s blog post, authorised by the company’s Chief Information Security Officer, CJ Moses, found that only about 10% of visitors were redirected, which allowed the attackers to avoid easy detection while still reaching victims.

****The Technical Side of It****

The technical details of this campaign revealed techniques intended to extend its operation. The malicious JavaScript was obfuscated and base64 encoded, while cookies were used to prevent multiple redirects for the same visitor, and when domains were blocked, the attackers quickly switched to new infrastructure. Some of the fake pages mimicked Cloudflare verification screens, making them look convincing enough to fool casual visitors.

Once Amazon detected the activity, they isolated the affected EC2 instances, worked with Cloudflare and other providers to cut off the domains, and passed along intelligence to Microsoft.

Even when APT29 moved to another cloud provider and registered new domains such as cloudflareredirectpartnerscom, Amazon continued tracking and disrupting their activity to limit the campaign’s reach.

Screenshot of a compromised website used in the campaign, with the domain name redacted (Source: Amazon)

****Keep An Eye****

Government-sponsored hackers have resources; they are also full of new ideas, and this campaign is just one such example. Therefore, users must remain careful with unexpected prompts, especially if a site asks you to authorise a new device or copy commands into Windows.

While Multi-factor authentication remains one of the best cybersecurity tools, Microsoft’s device code system should always be double-checked before approving anything. Nevertheless, the good news is that coordinated efforts between companies like Amazon, Microsoft, and Cloudflare forced APT29 to quit; however, it is about time before the group resurfaces with new targets.