AWS catches Russia's Cozy Bear clawing at Microsoft credentials

Amazon today said it disrupted an intel-gathering attempt by Russia's APT29 to trick Microsoft users into unwittingly granting the Kremlin-backed cyberspies access to their accounts and data.

APT29, also known as Cozy Bear and Midnght Blizzard, is probably best known for the 2020 SolarWinds hack, and has been widely linked to Russia's Foreign Intelligence Service (SVR) by the US, UK, and other governments and security researchers. And this particular bear has developed a taste for Microsoft data and user credentials over the years.

In its most recent watering hole campaign, the attackers compromised legitimate websites and injected malicious JavaScript code that redirected about 10 percent of visitors to actor-controlled domains. 

The domains included findcloudflare[.]com and cloudflare[.]redirectpartners[.]com, which were intended to mimic legit Cloudflare verification pages. The goal was to trick people trying to log into their Microsoft accounts into entering an APT29-generated device code into ...