Amazon’s threat intelligence team recently uncovered a sophisticated watering hole campaign orchestrated by APT29, a notorious Russian state-sponsored threat actor also known as Midnight Blizzard. This operation, detected in late August 2025, relied on compromising legitimate websites and injecting malicious JavaScript to redirect unsuspecting visitors. Instead of encountering the intended content, approximately 10 percent of site visitors were siphoned off to actor-controlled domains like findcloudflare[.]com and cloudflare.redirectpartners[.]com. These sites, designed to mimic legitimate Cloudflare verification pages, were part of a cunning ruse to harvest user credentials and trick victims into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.
The tradecraft employed in this campaign represents a significant evolution in APT29’s tactics. Historically, the group has relied on more traditional methods such as phishing emails or targeted spear-phishing. However, this operation showcased a shift toward opportunistic malicious JavaScript injections embedded directly into compromised, popular web pages. This approach significantly broadened their potential victim pool by targeting a wide range of visitors who were often unaware they were being rerouted. Victims were typically only alerted to the compromise when they were prompted to enter device codes or approve new device authorizations, a point at which the threat actor was already well on their way to gaining persistent access.
The campaign’s success hinged on its ability to create a highly convincing user experience. The fake Cloudflare verification pages were so well-crafted that many users failed to detect the deception. By masquerading as a routine security check, the attackers lowered the victims’ suspicion, making them more likely to input sensitive information. The use of domains that closely mimicked official services added another layer of credibility to the scheme. This social engineering component, combined with the technical sophistication of the malicious redirects, made the campaign particularly effective at bypassing standard security awareness training.
Beyond simple credential theft, the campaign’s true threat lay in its integration with Microsoft’s device code authentication. This sophisticated technique allowed APT29 to persist within corporate environments. By tricking users into authorizing a new device, the attackers could leverage authorized sessions to move laterally across networks, escalate privileges, and gather sensitive intelligence. This level of access goes far beyond a one-time login, enabling the threat actor to establish a long-term presence and conduct espionage undetected. Although Amazon confirmed that no AWS systems were compromised in this specific incident, the event served as a stark reminder of the persistent and evolving threat posed by state-sponsored actors.
In response to the discovery, Amazon worked swiftly and collaboratively with its industry partners, including Cloudflare and Microsoft. This coordinated effort was crucial in dismantling the malicious infrastructure. The team rapidly took down the rogue domains and isolated any compromised EC2 instances, effectively neutralizing the threat. This quick and synchronized response highlighted the power of inter-company collaboration in the cybersecurity community. The incident underscored the need for continuous vigilance and adaptation of defensive strategies as threat actors like APT29 constantly refine their methods to evade traditional security measures and exploit new technologies.
Reference: