Amazon Disrupts Russian Hacking Campaign Targeting Microsoft Users

Amazon has disrupted a Russian watering hole campaign targeting Microsoft users via compromised websites opportunistically redirecting users to malicious infrastructure.

Attributed to the state-sponsored cyberespionage group known as Midnight Blizzard (also tracked as APT29, Cozy Bear, the Dukes, and Yttrium) and believed to be sponsored by the Russian Foreign Intelligence Service (SVR), the attacks were focused on credential harvesting and intelligence collection.

The APT compromised legitimate websites and injected JavaScript code that redirected visitors to domains controlled by the attackers, such as findcloudflare[.]com, which mimicked a Cloudflare verification page.

Once redirected to the malicious domains, the victims were tricked into logging into their Microsoft accounts and authorizing devices under the attacker’s control, through the Microsoft device code authentication flow.

According to Amazon CISO CJ Moses, only approximately 10% of the compromised website’s visitors were redirected to the threat actor-controlled domains.

“This opportunistic approach illustrates APT29’s continued ...