Amazon has disrupted a cyber operation linked to Midnight Blizzard (APT29), a Russian state-sponsored group associated with the Russian Foreign Intelligence Service (SVR). The group had been attempting to compromise Microsoft 365 accounts and enterprise data through a sophisticated campaign that leveraged compromised websites and malicious redirection tactics.
How the Attack Was Carried Out
APT29, also known as Cozy Bear, used a watering hole campaign where legitimate but compromised websites redirected selected visitors to attacker-controlled infrastructure. A ccording to researchers, the attackers designed this infrastructure to trick victims into authorizing malicious devices via Microsoft’s device code authentication flow.
As Amazon explained, the group employed a randomization method, redirecting only around 10% of site visitors to avoid widespread detection. Those users were sent to domains crafted to mimic Cloudflare verification pages, such as:
findcloudflare[.]comcloudflare[.]redirectpartners[.]com
This careful targeting reduced suspicion while still allowing APT29 to capture valuable enterprise accounts.
Use of Cookies to Avoid Suspicion
Amazon’s investigation revealed that the hackers implemented a cookies-based control system to ensure that the same user would not be redirected more than once. This lowered the chance of victims noticing a pattern and reporting suspicious behavior.
Once redirected, victims were presented with fake Cloudflare-style verification prompts. From there, the attackers funneled them into a malicious Microsoft device code authentication flow, where they were tricked into authorizing attacker-controlled devices.
Connection to Past Attacks by Midnight Blizzard
Midnight Blizzard has a long track record of targeting government, enterprise, and diplomatic entities. Their tactics often rely on credential theft and phishing, and they have been linked to multiple high-profile intrusions, including:
- European embassies targeted through email-based credential phishing.
- Hewlett Packard Enterprise (HPE), where threat actors attempted to gain unauthorized access to sensitive systems.
- TeamViewer, where the attackers sought to infiltrate widely used remote-access services.
By exploiting authentication mechanisms, APT29 attempts to gain long-term access to corporate networks while disguising their presence behind legitimate sign-in processes.
Ongoing Risks for Enterprises
While Amazon successfully disrupted this latest campaign, the disruption does not mean the threat is eliminated. Enterprise organizations remain prime targets for Russian-backed cyber espionage due to their reliance on Microsoft 365 services and cloud-based collaboration platforms.
The use of fake verification pages, device code abuse, and low detection redirection tactics highlights APT29’s evolving techniques. Their ability to bypass traditional defenses underscores the importance of monitoring authentication flows, reviewing indicators of compromise (IoCs), and ensuring security teams remain alert to changes in adversary tactics.
