Amazon’s threat intelligence team has detected and disrupted a watering hole attack carried out by APT29 aka Midnight Blizzard, Cozy Bear, and Nobelium, a threat actor linked to Russia’s Foreign Intelligence Service (SVR).
The investigation revealed that the group was running an opportunistic campaign by compromising legitimate websites to redirect visitors to malicious infrastructure in order to trick users into authorizing attacker-controlled devices via Microsoft’s device code authentication process.
APT29 has been active since at least 2013 and is known for cyber espionage against governments and critical sectors. Recently, the group has expanded its targets, with phishing campaigns aimed at European diplomats and experts on Russian disinformation.
The recent campaign demonstrates that the threat actor is still largely focused on credential harvesting and intelligence gathering using improved techniques, including the compromise of legitimate websites, the injection of obfuscated JavaScript code and swift infrastructure adaptation in case of disruptions.
Amazon’s security team says that APT29 breached various legitimate websites and injected JavaScript that redirected around 10% of visitors to the actor-controlled domains. The attackers used fake domains, including findcloudflare[.]com, that mimicked Cloudflare verification pages to appear trustworthy. The malicious code used evasion tactics like randomized redirects and base64 encoding to avoid detection. When blocked, the group quickly switched to new domains.
“There was no compromise of AWS systems, nor was there a direct impact observed on AWS services or infrastructure,” the team added.
The intruders have been observed leveraging various evasion techniques, including using randomization to only redirect a small percentage of visitors, employing base64 encoding to hide malicious code, setting cookies to prevent repeated redirects of the same visitor, and pivoting to new infrastructure when blocked.