Amazon Web Services (AWS) seized domains that were being used by the notorious Russian APT29 threat group for a phishing campaign designed to steal credentials from what the cloud computing giant said were Russian adversaries.

The group – which is also known as Midnight Blizzard, Cozy Bear, and Nobelium – sent the phishing messages to targets within government agencies, enterprises, and militaries, according to CJ Moses, AWS’ CISO and vice president of Security Engineering CJ Moses.

The messages were written in Ukrainian and sent to many more targets than is usual for APT29, which typically runs more narrowly focused campaigns, Moses wrote in a blog post.

“Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn’t the target, nor was the group after AWS customer credentials,” he wrote. “Rather, APT29 sought its targets’ Windows credentials through Microsoft Remote Desktop.”

AWS was tipped off to APT29’s activities by Ukraine’s CERT-UA, the country’s computer emergency response team. In an advisory, the Ukrainian specialists wrote earlier this week they received information about a mass distribution of emails circulating among government agencies, enterprises, and the military.

The subjects of the emails talked about integration issues between AWS services and Microsoft and the implementation of zero-trust architectures. Attached to the messages were configurations files for Microsoft’s Remote Desktop Protocol (RDP). If the files were executed, they would create a RDP connection with the attackers’ server, granting the bad actors access into the victim’s system.

Phishing for System Access

The attackers’ remote servers “was not only granted access to disks, network resources, printers, COM ports, audio devices, the clipboard and other resources on the local computer, but [also] the technical prerequisites for running third-party programs/scripts on the victim’s computer could have been created,” the CERT-UA wrote.

The organization also noted that the infrastructure used in the attacks was being prepared as early as August.

AWS’ Moses wrote that “upon learning of this activity, we immediately initiated the process of seizing the domains APT29 was abusing which impersonated AWS in order to interrupt the operation.”

An Active Threat

APT29, which the U.S. and UK governments have linked to Russia’s Foreign Intelligence Service (SVR), targets governments, diplomatic entities, nongovernmental organizations (NGOs), and IT service providers, mostly in the United States and Europe, according to Microsoft, which tracks the group as Midnight Blizzard.

“Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests,” Microsoft wrote in a brief about the threat group, which “is consistent and persistent in their operational targeting and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the ADFS malware known as FOGGYWEB and MAGICWEB.”

A Long History of Attacks

Microsoft got first-hand experience with the group earlier this year, when the IT vendor detected APT29’s presence in its email system in January and saw it expand its efforts in February. That hack came after another high-profile security incident last year in which Chinese threat group Storm-0558 stole hundreds of thousands of emails from top U.S. officials. Microsoft was highly criticized by Congress for faulty security practices and late last year launched its Secure Future Initiative (SFI), which put security at the forefront of everything the company does.

Microsoft in September outlined steps it had taken since announcing SFI, including shedding 730,000 unused applications and creating a Cybersecurity Governance Council.

APT29, which has been active for more than a decade, also has been behind other high-profile incidents, including a breach of the Democratic National Committee’s servers in 2016, the supply-chain attack against software maker SolarWinds in 2020, and earlier this month a phishing campaign against political parties in Germany.

In August, Google’s Threat Analysis Group noted that APT29, while running watering hole campaigns, were using exploits that were the same or almost the same as spyware makers NSO Group and Intellexa.

“While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors,” Clement Lecigne, a security engineer with Google, wrote in a report.