Amazon has disrupted a cyberattack campaign by Russian state-backed hacking group APT29, also known as Midnight Blizzard or Cozy Bear, that was targeting Microsoft 365 users.
According to Amazon’s AWS Security team, the hackers compromised legitimate websites and injected malicious JavaScript to launch a watering-hole attack. Around 10% of visitors to these sites were redirected to fake domains that mimicked Cloudflare verification pages.
Victims were then tricked into entering a Microsoft device code, unknowingly authorizing attacker-controlled devices. This gave the hackers access to their Microsoft 365 accounts. Amazon said the attackers used obfuscation techniques like Base64 encoding and cookies to avoid detection, and quickly shifted infrastructure when blocked.
Amazon confirmed that its own AWS infrastructure was not compromised. The company has worked with security partners to disrupt the campaign and take down the malicious domains. APT29, linked to Russia’s SVR intelligence agency, is known for past high-profile attacks, including the SolarWinds breach.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
