Amazon Disrupts Russian APT29 Group's Watering Hole Campaign

Amazon's threat intelligence team has identified and disrupted a watering hole campaign conducted by APT29, a threat actor associated with Russia's Foreign Intelligence Service (SVR). The campaign utilized compromised legitimate websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices via Microsoft's device code authentication flow.

This opportunistic tactic demonstrates APT29's ongoing efforts to scale operations for broader intelligence collection. The group has shown a pattern of evolving tactics, including previous attempts in October 2024 to use AWS-impersonating domains for phishing, as disrupted by Amazon.

Furthermore, Google Threat Intelligence Group reported in June 2025 on APT29's phishing campaigns targeting academics and critics of Russia. The current campaign highlights a continued focus on credential harvesting and intelligence gathering, with refined technical approaches.

Amazon identified the activity through an analytic created for APT29 infrastructure. Investigation revealed that the actor had compromised various legitimate websites and injected obfuscated JavaScript. Amazon noted APT29's ability to rapidly adapt infrastructure in response to disruption, shifting from JavaScript redirects to server-side redirects on new infrastructure.