Amazon disrupted a watering hole campaign conducted by the Russia-linked APT29 group, leveraging compromised websites to steal credentials. This campaign targeted academics and critics of Russia and showcased advanced tactics like obfuscated JavaScript and server-side redirects. #APT29 #Nobelium
Keypoints
- Amazon identified and disrupted an espionage campaign linked to APT29, also known as Cozy Bear or Nobelium.
- The attackers used malicious websites that redirect visitors to exfiltrate Microsoft device code authentication data.
- They employed tactics such as obfuscated JavaScript, server-side redirects, and infrastructure rapid pivots.
- The campaign targeted Russian critics and academics, aiming to gather intelligence.
- Amazon collaborated with Cloudflare and Microsoft to block malicious domains and disrupt the threat actorsβ operations.