Amazon Dismantles APT29 Phishing Operation

Thousands of Amazon Web Service (AWS) domains were being impersonated.

Amazon broke up a phishing operation that impersonated thousands of Amazon Web Service (AWS) domains.

The AWS security team, along with the Ukrainian CERT-UA, blamed the Russian-backed APT 29 group for an attack which used spoofed AWS domains in an attempt to harvest login credentials from Ukrainian-speaking targets.

Since uncovering the phishing scam, Amazon has issued a mass takedown of the domains that were used in the attack.

APT29, also known as Cozy Bear, is affiliated to the Russian government, and has been active since 2008.

According to Amazon, AWS itself was not the target of the attack and none of its services or accounts were actually compromised. Rather, URLs for AWS sites were served up as the lure to get victims to click on the link that would eventually lead to a malware download site. Ultimately, the victims ended up with Windows malware that sought out account credentials.

“Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn’t the target, nor was the group after AWS customer credentials,” said Amazon CISO CJ Moses. “Rather, APT29 sought its targets’ Windows credentials through Microsoft Remote Desktop.”

Advanced Persistent threats (APTs), state adversaries, nation states Published: 28 October