Amazon Disrupts APT29’s Latest Watering Hole Attack
On August 29, 2025, Amazon announced significant progress in countering a sophisticated cyber threat linked to the Russian state-sponsored group known as APT29. This group, often referred to by various names including Cozy Bear and The Dukes, has been actively engaged in intelligence-gathering operations. The recent campaign Amazon disrupted exemplifies the evolving tactics that threat actors employ in their attempts to exploit online vulnerabilities.
Understanding the Watering Hole Attack
APT29’s latest exploit involved a classic "watering hole" attack strategy. This technique uses compromised legitimate websites to redirect unsuspecting visitors to malicious infrastructure. The goal is to deceive users into granting access to attacker-controlled devices through Microsoft’s device code authentication flow. According to Amazon’s Chief Information Security Officer, CJ Moses, this method showcases the group’s persistent ambition to harvest sensitive data.
Who is APT29?
APT29 is a state-sponsored hacking group associated with Russia’s Foreign Intelligence Service (SVR). Their operations have garnered attention due to sophisticated tactics and tools, including malicious Remote Desktop Protocol (RDP) configuration files aimed at Ukrainian entities. Additionally, the group uses various phishing methods to target Microsoft 365 accounts, adapting to new technologies and vulnerabilities in their quest for intelligence.
Recent Tactics and Techniques
In recent months, APT29 has diversified its techniques. Notably, they’re utilizing phishing strategies focused on device code and device join phishing methods to gain unauthorized access to Microsoft accounts. Their adaptive approach illustrates how they continually evolve their strategies to achieve their aims.
A telling example of their tactics occurred in June 2025, when Google identified a threat cluster linked to APT29. This group exploited application-specific passwords to infiltrate victims’ email accounts, a highly targeted endeavor attributed to another collective known as UNC6293.
The Mechanics of the Recent Attack
The campaign that Amazon disrupted involved a significant number of legitimate websites being compromised. Through the injection of JavaScript, roughly 10% of visitors were redirected to domains controlled by APT29. One notable domain mimicked a Cloudflare verification page, tricking users into believing they were visiting a legitimate site.
The end goal of this operation was to coax victims into entering device codes generated by the attackers themselves onto a phishing page, thereby granting them access to Microsoft accounts and the sensitive data contained within. This technique has previously been outlined by both Microsoft and cybersecurity firm Volexity earlier in February 2025.
Evasive Techniques Employed by APT29
APT29 employs a range of evasion techniques designed to ensure the longevity and effectiveness of their operations. For instance, they use Base64 encoding to obscure malicious code and establish cookies to prevent repeated redirection of the same visitor. When faced with obstruction, they shift to new infrastructure, showcasing their resilience and adaptability.
Amazon noted that despite these sophisticated evasive maneuvers, their security teams remained vigilant and effective in tracking and disrupting these operations. Following Amazon’s intervention, APT29 registered additional domains, including cloudflare.redirectpartners[.]com, in another attempt to entice users into Microsoft’s device code authentication workflows.
The Ongoing Challenge
Amazon’s efforts to combat APT29 highlight the relentless nature of cybersecurity threats and the importance of continuous monitoring and intervention. While specific information on the number of compromised websites has not been disclosed, Amazon managed to connect the domains used in this campaign with previous infrastructure associated with APT29.
Moses reiterated that despite attempts at migration to different cloud providers, Amazon’s threat intelligence team successfully tracked their operations. The ongoing cat-and-mouse dynamic between cybersecurity defenders and threat actors underscores the importance of vigilance in today’s interconnected digital landscape.
In conclusion, as cyber threats continue to evolve, organizations must remain prepared to address emerging challenges. The tactics used by APT29 serve as a reminder of the potential vulnerabilities present even within trusted online environments.
