Amazon shuts down watering hole attack attributed to Russia’s APT29 hacking group

A digital trap set by Russia’s foreign intelligence service was disrupted by Amazon in a recent operation. 

The company’s threat intelligence team said it identified a so-called watering hole campaign in August where hackers compromised a legitimate website and redirected visitors to malicious infrastructure.

Amazon Chief Information Security Officer (CISO) CJ Moses said the watering hole was the work of APT29 (also tracked as BlueBravo and Cozy Bear), a notorious hacking operation that U.S. officials have long attributed to the Russian Foreign Intelligence Service (SRV).

Moses said Amazon identified the activity through metrics it created specifically for APT29. They discovered the actor-controlled domain names and further investigations led the team to other legitimate websites that had been compromised through malicious JavaScript code that had been injected by the hackers. 

About 10% of visitors to the malicious sites were redirected to Russian-controlled domains that included findcloudflare[.]com — a platform designed to mimic Cloudflare verification pages.

“The campaign’s ultimate target was Microsoft’s device code authentication flow. There was no compromise of AWS systems, nor was there a direct impact observed on AWS services or infrastructure,” Moses said.

Amazon declined to say when the operation took place, but said they have seen other threat actors engage in watering hole attacks in the past.

Moses’ blog post notes that in October 2024, Amazon disrupted another APT29 operation that attempted to use phishing domains impersonating AWS. Moses added that Google’s threat intelligence team uncovered another phishing campaign in June that targeted academics and critics of Russia. 

APT29 went to great lengths to hide the malicious code on the legitimate websites and redirected a small percentage of visitors randomly to stay undetected. 

“Upon discovering this campaign, Amazon worked quickly to isolate affected EC2 instances, partner with Cloudflare and other providers to disrupt the actor’s domains, and share relevant information with Microsoft,” Moses said, adding that after the disruption, the hackers tried to register other domains in an effort to continue the campaign. 

“Despite the actor’s attempts to migrate to new infrastructure, including a move off AWS to another cloud provider, our team continued tracking and disrupting their operations.” 

The watering hole campaign disrupted by Amazon is further evidence that Russia is continuing to focus on credential harvesting and intelligence collection, Moses wrote. 

The U.S. Department of Justice and the Federal Bureau of Investigation previously seized two domains abused by APT29 that were part of a sprawling spear-phishing campaign that targeted government agencies, think tanks, consultants and NGOs in 2021. 

APT29 is one of the most prolific hacking operations coming from Russia and has been accused of launching several of the most consequential hacks of the last decade — including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee. The group was also allegedly responsible for a massive breach of Microsoft corporate email accounts in 2024 that included messages from several federal agencies. 

Several other countries have attributed significant cyber incidents to the group, including Germany, the U.K., Hungary, Ukraine, Azerbaijan and others.