AWS Catches Cozy Bear in the Act: Russia's Sophisticated Phishing Campaign Exposed

Amazon Web Services (AWS) has announced that it has disrupted an intelligence-gathering attempt by Russia's APT29 group, also known as Cozy Bear and Midnight Blizzard. The attack targeted Microsoft users who were tricked into unwittingly granting the Kremlin-backed cyberspies access to their accounts and data.

APT29 is a highly sophisticated and prolific hacking group that has been linked to Russia's Foreign Intelligence Service (SVR) by various governments, security researchers, and organizations. Its previous notable exploits include the 2020 SolarWinds hack, which highlighted its ability to infiltrate high-profile targets with seemingly zero-day vulnerabilities.

The latest watering hole campaign, carried out by Cozy Bear, aimed to compromise legitimate websites and inject malicious JavaScript code that redirected a significant percentage of visitors to actor-controlled domains. These domains were designed to mimic Cloudflare verification pages, making it challenging for users to distinguish between legitimate and fake websites.

The attackers' goal was to trick people trying to log into their Microsoft accounts into entering APT29-generated device codes into the sign-in page. This would have authorized attacker-controlled devices, allowing the Russian spies to gain access to the victims' Microsoft accounts and sensitive data.

Evading Detection and Scaling Operations

AWS's Chief Information Security Officer, CJ Moses, described Cozy Bear's approach as "opportunistic" and an example of the group's continued evolution in scaling its operations. The attackers used various tactics to evade detection, including:

  • Randomization: redirecting only a small percentage of visitors
  • Base64 encoding: hiding malicious code from security software
  • Setting cookies: preventing repeated redirects of the same visitor
  • Pivoting to new infrastructure when blocked

AWS analyzed the code used by Cozy Bear and found that these tactics allowed the group to cast a wider net in its intelligence collection efforts. However, no AWS systems were compromised, and there was no direct impact on AWS services or infrastructure.

Similar Attacks and Ongoing Efforts

This latest attack is not an isolated incident. In October 2024, Cozy Bear attempted to use domains impersonating AWS and Microsoft to phish users with Remote Desktop Protocol files pointed to actor-controlled resources. The attack targeted governments, NGOs, academia, and defense organizations.

Earlier this summer, Google's Threat Intelligence Group documented APT29's phishing campaigns targeting academics and critics of Russia using application-specific passwords. These ongoing efforts highlight the sophistication and persistence of Cozy Bear, making it essential for users to remain vigilant and take proactive measures to protect themselves against these threats.

Stay Safe Online

To avoid falling victim to these types of attacks, users should:

  • Use strong, unique passwords and enable two-factor authentication
  • Vary their login locations and devices
  • Keep their software and operating systems up-to-date
  • Use reputable security software and stay informed about the latest threats

Awareness is key to staying safe online. By understanding the tactics used by Cozy Bear and taking proactive measures, users can reduce their risk of becoming a victim of these sophisticated phishing campaigns.