Full Report
In October 2024, Amazon disrupted another APT29 operation that attempted to use phishing domains impersonating AWS.
Analysis Summary
# Threat Actor: APT29 (BlueBravo / Cozy Bear)
## Attribution & Identity
Attributed to the **Russian Foreign Intelligence Service (SRV)** by U.S. officials.
Known aliases include **BlueBravo** and **Cozy Bear**.
## Activity Summary
Amazon disrupted a watering hole campaign attributed to APT29 in August (2025). In this campaign, threat actors compromised legitimate websites, injecting malicious JavaScript to redirect visitors to malicious Russian-controlled infrastructure. An earlier operation in October 2024 involved APT29 attempting to use phishing domains impersonating AWS.
## Tactics, Techniques & Procedures
- **Watering Hole Attacks:** Compromising legitimate websites and injecting malicious JavaScript to redirect visitors.
- **Credential Harvesting:** The ultimate goal of the recent campaign was credential harvesting, specifically targeting Microsoft's device code authentication flow.
- **Domain Impersonation:** Using domains mimicking legitimate services (e.g., `findcloudflare[.]com` designed to look like Cloudflare verification pages).
- **Evasion:** Redirecting only a small percentage of visitors randomly to avoid detection.
- **Infrastructure Migration:** Attempting to move operations to different cloud providers after initial disruption.
- **Sphere-phishing:** Involved in a sprawling spear-phishing campaign reported in 2021.
## Targeting
- **Sectors:** Academics and critics of Russia (mentioned in context of a related June operation), government agencies, think tanks, consultants, and NGOs (related to 2021 activity). The immediate technical target of the watering hole was the **Microsoft device code authentication flow**.
- **Geography:** Not explicitly detailed for the August campaign, but historically linked to activities affecting various international entities (U.S., Germany, UK, Hungary, Ukraine, Azerbaijan).
- **Victims:** Visitors to the compromised legitimate websites; specific organizational victims of the August watering hole attack were not named, but the attack aimed at harvesting credentials used in Microsoft flows.
## Tools & Infrastructure
- **Malware Families used:** Not explicitly named in connection with the August campaign, but historical context includes major operations like SolarWinds.
- **Infrastructure (C2, domains, IPs):** Used actor-controlled domain names that were disrupted, including `findcloudflare[.]com` (used to mimic Cloudflare verification). The actor attempted migration to infrastructure hosted by **another cloud provider** after initial disruption.
## Implications
APT29 remains a highly prolific threat actor serving the interests of Russian intelligence (SRV). Their continued focus is on credential harvesting and intelligence collection against critical entities, including technology platforms and organizations critical of Russia. They demonstrate persistence by attempting to migrate infrastructure immediately following discovery and disruption.
## Mitigations
- Security providers should continue to monitor for actor-controlled domains and infrastructure impersonating services like Cloudflare or AWS.
- Enhanced monitoring for injected malicious JavaScript on legitimate web properties.
- Specifically harden authentication flows, such as Microsoft's device code authentication flow, against credential harvesting attempts.
- Proactive monitoring and response to indicators associated with APT29 activity, as identified via specific threat metrics (as done by Amazon).