The Russian Bear is Hungry for Authentication Codes
- Javier Conejo del Cerro
- hace 4 días
- 2 Min. de lectura
Amazon has successfully disrupted a watering hole campaign linked to APT29 (Cozy Bear), one of Russia’s most notorious state-backed threat groups. In this operation, APT29 compromised legitimate websites to silently redirect visitors into malicious authentication flows. By abusing Microsoft’s device code authentication process, the attackers tricked victims into handing over valid credentials, enabling access to Microsoft 365 accounts, sensitive emails, and organizational data.
What makes this campaign notable is its blend of classic espionage tradecraft (watering hole compromise, stealthy redirects) with modern cloud abuse (device code authentication hijacking). It highlights how state-backed actors evolve to exploit trusted cloud services at scale while masking their operations behind legitimate authentication mechanisms.
Phase 1: The Lure and Redirection
APT29 compromised legitimate websites frequently used by government employees, corporate staff, and citizens.
Injected JavaScript code redirected ~10% of visitors to attacker domains.
Domains like findcloudflare[.]com mimicked Cloudflare verification pages, creating a false sense of legitimacy.
Victims believed they were undergoing a routine check, but were actually entering a malicious flow.
Phase 2: Abusing Microsoft Device Code Authentication
Attackers abused the Microsoft device code authentication flow.
APT29 generated legitimate device codes on their own infrastructure.
Victims were tricked into entering those codes into Microsoft’s real sign-in page.
Once submitted, attackers gained access to:
Microsoft 365 accounts
Stored credentials and authentication tokens
Emails, files, and sensitive communications
This method was stealthy because it leveraged a real Microsoft process, not a fake login page.
Phase 3: Stealth and Evasion
APT29 deployed multiple techniques to avoid detection:
Base64 obfuscation concealed injected JavaScript code.
Cookies prevented repeat redirects, lowering detection chances.
Rotating infrastructure kept the campaign alive even after takedowns.
These methods allowed the campaign to blend into normal user traffic for extended periods.
Phase 4: The Intelligence Harvest
With access to Microsoft 365 accounts, APT29 could:
Steal credentials and authentication tokens for deeper access.
Exfiltrate sensitive documents and communications from governments, corporations, and researchers.
Monitor email traffic for intelligence value.
Infiltrate organizations long-term, escalating privileges and maintaining persistence.
Cast a wide net by targeting ordinary users—civil servants, corporate staff, researchers, and citizens—leveraging their daily browsing habits.
Phase 5: Amazon’s Intervention
Amazon’s Threat Intelligence team disrupted the campaign through:
Detection: Flagging domains like findcloudflare[.]com as APT29-linked.
Disruption: Tearing down attacker-controlled infrastructure on AWS.
Tracking: Continuing to monitor APT29’s migration to other providers.
Neutralization: Blocking new domains like cloudflare.redirectpartners[.]com.
This showed how a major cloud provider can directly hinder state-sponsored campaigns, even when adversaries try to shift infrastructure elsewhere.
Measures to Fend Off
Monitor websites for injected JavaScript and unusual redirect patterns.
Enforce Conditional Access and MFA across all Microsoft 365 accounts.
Educate users never to enter device codes outside verified Microsoft workflows.
Block domains mimicking services like Cloudflare.
Track infrastructure shifts linked to APT29 or similar actors.
Collaborate with cloud providers (Amazon, Microsoft, Google) for rapid takedowns.
This campaign demonstrates how APT29 adapts traditional espionage to modern cloud environments, combining watering hole compromises with authentication abuse. Amazon’s intervention highlights the importance of industry collaboration and proactive defenses against one of the most persistent and capable state-aligned threat groups.
Comentarios