Amazon disrupts watering hole campaign by Russia's APT29

Description

Amazon's threat intelligence team has uncovered and disrupted a watering hole campaign conducted by APT29, a Russian threat actor. The campaign involved compromising legitimate websites to redirect visitors to malicious infrastructure, tricking users into authorizing attacker-controlled devices through Microsoft's device code authentication flow. This opportunistic approach demonstrates APT29's evolving tactics in scaling their operations for intelligence collection. The group employed techniques such as injecting obfuscated JavaScript, rapidly adapting infrastructure when faced with disruption, and using server-side redirects. Amazon's response included isolating affected EC2 instances, partnering with providers to disrupt domains, and sharing information with Microsoft. The article provides recommendations for user and organizational protection against such attacks.