On August 29, 2025, Amazon announced that its threat intelligence team successfully disrupted a watering hole campaign orchestrated by APT29, a Russian state-sponsored hacking group also known as Midnight Blizzard. This campaign involved the use of compromised websites to redirect unsuspecting visitors to malicious infrastructure aimed at tricking them into authorizing devices controlled by the attackers through Microsoft's device code authentication flow. Amazon's Chief Information Security Officer, CJ Mosess, stated, "This opportunistic approach illustrates APT29's continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts."
APT29, which is associated with Russia's Foreign Intelligence Service (SVR), has been linked to various cyber operations targeting sensitive data. In recent months, they have employed phishing techniques including device code phishing and malicious RDP configurations, particularly against Ukrainian entities. This latest operation is part of a trend where APT29 has refined its methods to enhance its intelligence gathering capabilities. In June 2025, Google reported that APT29 was exploiting application-specific passwords to gain unauthorized access to the emails of academics and critics of Russia.
The watering hole attack works by compromising legitimate websites and redirecting users to malicious sites that employ a sophisticated authentication flow. By leveraging Microsoft's device code authentication, APT29 aims to gain unauthorized access to Microsoft 365 accounts, thereby facilitating credential harvesting. Security experts have noted that this tactic not only allows for the harvesting of credentials but also illustrates the group's ability to adapt its infrastructure rapidly following previous disruptions.
The industry response to APT29's activities has been proactive. Amazon's security teams have previously disrupted campaigns where APT29 attempted to impersonate AWS services to conduct phishing attacks. Experts in the field emphasize the importance of continuous monitoring and updating of security practices to defend against such sophisticated threats.
Organizations are encouraged to implement robust security measures including multi-factor authentication and to remain vigilant against phishing attempts. As Mosess stated, "The evolution of APT29's tactics requires organizations to be on high alert and to enhance their defensive strategies to mitigate risks associated with such advanced persistent threats."
In light of these developments, organizations are advised to review their security protocols and ensure that their systems are updated to defend against potential exploitation by APT29 and similar threat actors.
