Amazon, Cloudflare, Microsoft Thwart Russia-Linked APT29 Cyber Campaign
Amazon, in collaboration with Cloudflare and Microsoft, has disrupted a sophisticated cyber campaign led by Russia-linked APT29, also known as Midnight Blizzard. The group, tied to Russia’s Foreign Intelligence Service (SVR), targeted academics and government critics for intelligence gathering.
APT29 employed a 'watering hole' strategy, compromising legitimate websites to redirect visitors to malicious infrastructure mimicking Cloudflare verification pages. The campaign successfully coerced around 10% of visitors to input Microsoft device codes, authorizing attacker devices and facilitating credential theft.
The group demonstrated high adaptability, employing tactics such as randomization, base64 encoding, cookies, and rapid infrastructure pivots. They also attempted to migrate to new infrastructure and register additional domains post-disruption.
Amazon, Cloudflare, and Microsoft worked together to block malicious domains and disrupt the campaign. Despite the group's efforts to evade detection and migrate to new infrastructure, the collaborative effort successfully thwarted their activities.
