Amazon has disrupted a Russian watering gap marketing campaign focusing on Microsoft customers by way of compromised web sites opportunistically redirecting customers to malicious infrastructure.
Attributed to the state-sponsored cyberespionage group often known as Midnight Blizzard (additionally tracked as APT29, Cozy Bear, the Dukes, and Yttrium) and believed to be sponsored by the Russian Overseas Intelligence Service (SVR), the assaults had been centered on credential harvesting and intelligence assortment.
The APT compromised legit web sites and injected JavaScript code that redirected guests to domains managed by the attackers, akin to findcloudflare[.]com, which mimicked a Cloudflare verification web page.
As soon as redirected to the malicious domains, the victims had been tricked into logging into their Microsoft accounts and authorizing units below the attacker’s management, by the Microsoft machine code authentication stream.
In response to Amazon CISO CJ Moses, solely roughly 10% of the compromised web site’s guests had been redirected to the risk actor-controlled domains.
“This opportunistic strategy illustrates APT29’s continued evolution in scaling their operations to forged a wider internet of their intelligence assortment efforts,” Moses notes.
As a part of the assaults, Midnight Blizzard relied on randomization to solely redirect a small share of tourists, hid malicious code utilizing base64 encoding, and arrange cookies to forestall the repeated redirection of the identical victims.
When blocked, the attackers shortly arrange new infrastructure, together with by transferring to a brand new cloud supplier and by registering the area cloudflare[.]redirectpartners[.]com, AWS says.Commercial. Scroll to proceed studying.
“There was no compromise of AWS techniques, nor was there a direct affect noticed on AWS companies or infrastructure,” Moses factors out.
Final 12 months, Midnight Blizzard impersonated AWS and Microsoft staff to ship RDP configuration recordsdata to unsuspecting customers. In June 2025, Google warned of APT’s assaults focusing on the “app-specific password” function to trick Gmail customers into offering MFA-free entry to their accounts.
Associated: Russian State Hackers Goal Organizations With Machine Code Phishing
Associated: HPE Says Private Info Stolen in 2023 Russian Hack
Associated: Russian APT Exploiting 7-12 months-Previous Cisco Vulnerability: FBI
Associated: Norwegian Police Say Professional-Russian Hackers Have been Seemingly Behind Suspected Sabotage at a Dam
