Russian hacker group Cozy Bear found attempting to breach Microsoft account details, detected by AWS

In a recent cyber espionage operation, the cybercriminal group known as APT29, also recognised as Cozy Bear and Midnight Blizzard, has been implicated in an unusual mass phishing drive. This group, widely linked to Russia's Foreign Intelligence Service (SVR), is known for its involvement in the 2020 SolarWinds hack.

APT29 has a preference for targeting Microsoft data and user credentials. In this latest campaign, the group employed an unconventional approach, aiming to trick victims into entering an APT29-generated device code into the sign-in page for their Microsoft accounts.

The goal of this watering hole campaign was to capture the credentials of numerous potential intelligence targets, rather than focusing on a specific group or organisation. The campaign targeted visitors of various legitimate websites, including academics and critics of Russia.

Amazon's Chief Information Security Officer, CJ Moses, stated that this approach shows APT29's continued evolution in scaling their operations. The group compromised legitimate websites and injected malicious JavaScript code, such as on findcloudflare[.]com and cloudflare[.]redirectpartners[.]com, which were designed to mimic legitimate Cloudflare verification pages.

However, it's worth noting that no AWS systems were compromised in this incident, and there was no direct impact on AWS services or infrastructure. AWS analysed the code used by APT29 to evade detection, including methods such as randomization, base64 encoding, setting cookies, and pivoting to new infrastructure when blocked.

Microsoft and TeamViewer have also confirmed that Russian spies stole source code and accessed internal systems in this campaign. TeamViewer confirmed that Russia broke into its corporate IT network.

Google's Threat Intelligence Group has documented APT29's phishing campaigns, which have also targeted academics and critics of Russia earlier this summer. This campaign targeted governments, NGOs, academia, and defence organisations, similar to an earlier attempt in October 2024.

Unfortunately, no further information is provided about the size of this campaign, whether it targeted specific groups or industry sectors, or if it remains ongoing. Nonetheless, it serves as a reminder of the ongoing threats posed by cyber espionage groups like APT29, and the importance of vigilance in the digital landscape.

Russian hacker group Cozy Bear found attempting to breach Microsoft account details, detected by AWS