Phishing

APT29’s AWS Spoofing Phishing Campaign Dismantled

A computer screen displays a digital alert of an email phishing threat, accompanied by a striking red warning sign.

Russian state-backed threat operation APT29, also known as Midnight Blizzard, had thousands of Amazon Web Services-spoofing domains leveraged in a phishing campaign aimed at exfiltrating Ukrainian targets' login credentials disrupted by the AWS security team as part of a massive crackdown, SC Media reports.

Attacks that were part of the campaign involved the exploitation of AWS site URLs to deceive targets into clicking links redirecting to a malicious site, which downloaded Windows malware that compromised login credentials, according to Amazon Chief Information Security Officer CJ Moses.

Moses emphasized that APT29's campaign had targeted neither AWS nor its services or accounts.

"In this instance, their targets were associated with government agencies, enterprises, and militaries, and the phishing campaign was apparently aimed at stealing credentials from Russian adversaries. APT29 sent the Ukrainian language phishing emails to significantly more targets than their typical, narrowly targeted approach," said Moses. This development comes as Russian government-backed threat groups are expected to ramp up attacks as the upcoming presidential election nears.

You can skip this ad in 5 seconds