Amazon Stops SVR's Sophisticated 'Watering Hole' Cyber Attack
Amazon has successfully disrupted a sophisticated cyber attack orchestrated by Russia's foreign intelligence service, the SVR. The operation, dubbed a 'watering hole' campaign, targeted Microsoft's device code authentication process.
Amazon's threat intelligence team discovered the campaign in August 2024. The team identified actor-controlled domain names and malicious JavaScript code injections that redirected about 10% of visitors to compromised sites to Russian-controlled domains. This tactic, known as credential harvesting, is a common strategy employed by the SVR to collect intelligence.
The campaign was attributed to APT29, also known as BlueBravo or Cozy Bear, a group linked to the SVR. After Amazon's disruption, the hackers attempted to continue the campaign using new domains and infrastructure, indicating their persistence and adaptability.
Amazon responded swiftly by isolating affected instances, collaborating with providers, and sharing information with Microsoft. This collective effort demonstrates the importance of public-private partnerships in combating cyber threats.
The watering hole campaign is another example of Russia's ongoing focus on intelligence collection and cyber operations. Amazon's successful disruption highlights the importance of robust threat intelligence capabilities and international cooperation in countering state-sponsored cyber attacks. The identity of Amazon's current Chief Information Security Officer remains unclear, but their team's swift action has averted a potential cybersecurity crisis.
