Amazon announced it disrupted a sophisticated watering hole attack linked to Russia's APT29, also known as Cozy Bear, which targeted users by injecting malicious JavaScript into legitimate websites to steal Microsoft account credentials.

The campaign involved redirecting about 10% of website visitors to fake Cloudflare verification pages designed to prompt victims to enter malicious device codes, granting attackers access to Microsoft accounts.

This operation follows similar efforts in October 2024, where APT29 targeted government, NGO, academic, and defense sectors using impersonation and phishing tactics.

Recent activities include targeting Ukrainian entities through RDP configuration attacks and exploiting Google account features to access emails, demonstrating the group's evolving techniques to harvest credentials and gather intelligence.

The threat actors employed evasion methods such as Base64 encoding, cookie setting to prevent redirection loops, and infrastructure migration from AWS to other cloud providers to avoid detection.

Their malicious code used obfuscation techniques and infrastructure switching to evade security measures, making detection more challenging.

Russian cyber activities also include mass phishing campaigns using RDP files and shared exploits with commercial spyware, indicating a broad and persistent threat landscape.

This campaign exemplifies APT29's ongoing evolution in expanding their intelligence efforts, often impersonating major cloud providers like AWS and Microsoft to facilitate phishing.

Despite the infrastructure shifts, Amazon's security team successfully tracked and disrupted the operations, highlighting the group's persistent and adaptive tactics.

APT29, tied to Russia's SVR, continues to employ sophisticated phishing techniques aimed at high-value targets, including stealing source code and accessing internal systems.

The attackers compromised legitimate websites to inject malicious JavaScript, redirecting visitors to fake verification pages to steal device codes and gain access to Microsoft accounts.

Microsoft confirmed that Russian spies had stolen source code and accessed internal systems, emphasizing the ongoing threat posed by APT29's cyber espionage activities.

Amazon clarified that no AWS systems were compromised and there was no impact on its services, although they analyzed the attack methods to understand the threat actors' evasion tactics.