Amazon has disrupted a Russian watering hole campaign targeting Microsoft users via compromised websites opportunistically redirecting users to malicious infrastructure.
Attributed to the state-sponsored cyberespionage group known as Midnight Blizzard (also tracked as APT29, Cozy Bear, the Dukes, and Yttrium) and believed to be sponsored by the Russian Foreign Intelligence Service (SVR), the attacks were focused on credential harvesting and intelligence collection.
The APT compromised legitimate websites and injected JavaScript code that redirected visitors to domains controlled by the attackers, such as findcloudflare[.]com, which mimicked a Cloudflare verification page.
Once redirected to the malicious domains, the victims were tricked into logging into their Microsoft accounts and authorizing devices under the attacker’s control, through the Microsoft device code authentication flow.
According to Amazon CISO CJ Moses, only approximately 10% of the compromised website’s visitors were redirected to the threat actor-controlled domains.
“This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts,” Moses notes.
As part of the attacks, Midnight Blizzard relied on randomization to only redirect a small percentage of visitors, hid malicious code using base64 encoding, and set up cookies to prevent the repeated redirection of the same victims.
When blocked, the attackers quickly set up new infrastructure, including by moving to a new cloud provider and by registering the domain cloudflare[.]redirectpartners[.]com, AWS says.
“There was no compromise of AWS systems, nor was there a direct impact observed on AWS services or infrastructure,” Moses points out.
Last year, Midnight Blizzard impersonated AWS and Microsoft employees to deliver RDP configuration files to unsuspecting users. In June 2025, Google warned of APT’s attacks targeting the “app-specific password” feature to trick Gmail users into providing MFA-free access to their accounts.
Related: Russian State Hackers Target Organizations With Device Code Phishing
Related: HPE Says Personal Information Stolen in 2023 Russian Hack
Related: Russian APT Exploiting 7-Year-Old Cisco Vulnerability: FBI
Related: Norwegian Police Say Pro-Russian Hackers Were Likely Behind Suspected Sabotage at a Dam
