Amazon Thwarts Russian APT29 Hackers Targeting Microsoft 365
Researchers have successfully disrupted an operation linked to the Russian state-sponsored threat group Midnight Blizzard, also known as APT29, which aimed to gain access to Microsoft 365 accounts and sensitive data. This hacker group employed a watering hole campaign, compromising legitimate websites to redirect targeted users to malicious infrastructure designed to deceive them into authorising attacker-controlled devices via Microsoft’s device code authentication flow. Midnight Blizzard, associated with Russia’s Foreign Intelligence Service (SVR), is notorious for its sophisticated phishing techniques, which have recently affected European embassies, Hewlett Packard Enterprise, and TeamViewer. Amazon’s threat intelligence team identified the domain names used in this campaign by analysing APT29’s infrastructure, revealing that the hackers had obfuscated malicious code and redirected approximately 10% of compromised website visitors to domains mimicking Cloudflare verification pages.
Upon discovering the campaign, Amazon researchers isolated the EC2 instances utilised by the threat actors and collaborated with Cloudflare and Microsoft to disrupt the identified domains. The investigation showed that APT29 had attempted to shift its infrastructure to another cloud provider and registered new domain names, such as cloudflare[.]redirectpartners[.]com. CJ Moses, Amazon’s Chief Information Security Officer, stated that the researchers continued to monitor the threat actor’s movements and successfully disrupted their efforts. This latest campaign signifies an evolution in APT29’s tactics for credential and intelligence collection, showcasing refinements in their technical approach that no longer depend on impersonating AWS domains or using social engineering to bypass multi-factor authentication (MFA). Users are advised to verify device authorisation requests, enable MFA, and refrain from executing commands copied from webpages. Administrators should consider disabling unnecessary device authorisation flaws, enforce conditional access policies, and closely monitor for suspicious authentication activities.
Categories: Cybersecurity Threats, Phishing Techniques, Incident Response
Tags: Midnight Blizzard, APT29, Microsoft 365, Watering Hole Campaign, Phishing Methods, Cloudflare, Device Code Authentication, Malicious Infrastructure, Multi-Factor Authentication, Threat Intelligence