216.73.217.80

Amazon disrupts watering hole campaign by Russia's APT29

· Published 01/09/2025 09:54 · Modified 01/09/2025 10:32

Export JSON

Essential information

Published
01/09/2025 09:54
Modified
01/09/2025 10:32
Tags
2025-09-01 credential harvesting device authentication infrastructure adaptation javascript injection russia svr watering hole
Related entities
2 observables, 1 intrusion sets (apt), 6 techniques (mitre), 1 others

Description

Amazon's threat intelligence team has uncovered and disrupted a campaign conducted by APT29, a Russian threat actor. The campaign involved compromising legitimate websites to redirect visitors to malicious infrastructure, tricking users into authorizing attacker-controlled devices through Microsoft's device code authentication flow. This opportunistic approach demonstrates APT29's evolving tactics in scaling their operations for intelligence collection. The group employed techniques such as injecting obfuscated JavaScript, rapidly adapting infrastructure when faced with disruption, and using server-side redirects. Amazon's response included isolating affected EC2 instances, partnering with providers to disrupt domains, and sharing information with Microsoft. The article provides recommendations for user and organizational protection against such attacks.

External references