Amazon Stymies APT29 Credential Theft Campaign
A group linked to Russian intelligence services redirected victims to fake Cloudflare verification pages and exploited Microsoft's device code authentication flow.
APT29 is an espionage-focused threat actor associated with Russian intelligence, making its tactics relevant to understanding state-backed cyber risk.
Search across headline titles and summaries.
Background for this topic.
APT29 is a sophisticated cyber espionage group linked to a nation-state, known for stealthy, long-term intrusions targeting government agencies, think tanks, and research institutions. They employ custom malware, zero-day exploits, and social engineering to gain initial access and maintain persistence, often using legitimate credentials to avoid detection. Their operations focus on intelligence collection rather than immediate disruption or destruction.
Security teams should watch for signs of credential compromise, lateral movement, and covert data exfiltration associated with APT29 activity. Defenses that emphasize multi-factor authentication, network segmentation, and behavioral anomaly detection can reduce risk. Understanding APT29’s tactics, techniques, and procedures (TTPs) enables more effective threat hunting and tailored monitoring to detect and mitigate espionage campaigns early.
Weekly headline count for the current query.
A group linked to Russian intelligence services redirected victims to fake Cloudflare verification pages and exploited Microsoft's device code authentication flow.
Russia-backed APT29's latest campaign once again uses malicious invites to wine-tasting events as its lure, but this time targets a different set of vintages — errr, victims — and delivers a novel backdoor, GrapeLoader.
The Russian-based attack group uses legitimate red-team tools, 200 domain names, and 34 back-end RDP servers, making it harder to identify and block malicious activity.
The Russian-backed group is using a novel access vector to harvest victim data and compromise devices in a large-scale intelligence-gathering operation.
Kremlin intelligence carried out a wide-scale phishing campaign in contrast to its usual, more targeted operations.
Russia's Midnight Blizzard infected Mongolian government websites to try to compromise the devices of visitors, using watering-hole tactics.
Russia's Midnight Blizzard infected Mongolian government websites to try to compromise the devices of visitors, using watering-hole tactics.
The notorious cyber espionage group has been harrying French interests for years, and isn't flagging now as the Paris Olympics approach.
Though Federal Civilian Executive Branch (FCEB) agencies are the primary targets, CISA encourages all organizations to up their security, given the high risk.
The Midnight Blizzard APT is mounting a sustained, focused cyber campaign against the computing kahuna, using secrets it stole from emails back in January.
CISA and its counterparts in the UK and other countries this week offered new guidance on how to deal with the threat actor's recent shift to cloud attacks.
Threat actors created and abused OAuth apps to access Microsoft's corporate email environment and remain there for weeks.
The Russian APT behind the SolarWinds attacks exfiltrated data from HPE email accounts last May.
Russian state-sponsored threat actor Nobelium used a basic password-spray attack to breach Microsoft corporate email accounts, including for execs.
Russia's APT29 is going after a critical RCE flaw in the JetBrains TeamCity software developer platform, prompting governments worldwide to issue an urgent warning to patch.
The Nobelium APT is launching highly targeted Teams-based phishing attacks on government and industrial targets using compromised Microsoft 365 tenants, with the aim of data theft and cyber espionage.
Cloaked Ursa/Nobelium gets creative by appealing to the more personal needs of government employees on foreign missions in Kyiv.
The authentication bypass used by the Nobelium group, best known for the supply chain attack on SolarWinds, required a massive, real-time investigation to uncover, Microsoft says.
The Russia-backed Nobelium APT has pioneered a post-exploitation tool allowing attackers to authenticate as any user.
The same infrastructure traced back to Russian-speaking threat group Nobelium is being used to set up misspelled domain names, presaging impersonation attacks bent on credential harvesting, analysts say.