Online retail giant and cloud-service provider Amazon broke up a phishing operation that impersonated thousands of Amazon Web Service (AWS) domains.
The AWS security team, along with the Ukrainian CERT-UA blamed the Russian-backed APT 29 group for an attack which used spoofed AWS domains in an attempt to harvest login credentials from Ukrainian-speaking targets.
Since uncovering the phishing scam, Amazon has issued a mass takedown of the domains that were used in the attack.
According to Amazon, AWS itself was not the target of the attack and none of its services or accounts were actually compromised. Rather, URLs for AWS sites were served up as the lure to get victims to click on the link that would eventually lead to a malware download site.
Ultimately, the victims ended up with Windows malware that sought out account credentials.
“Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn’t the target, nor was the group after AWS customer credentials,” said Amazon CISO CJ Moses.
“Rather, APT29 sought its targets’ Windows credentials through Microsoft Remote Desktop.”
Given the nature of the targets, AWS said it was not hard to figure out the motive of the Russia-backed threat group, though the tactics were slightly out of character for the normally laser-focused APT 20.
“In this instance, their targets were associated with government agencies, enterprises, and militaries, and the phishing campaign was apparently aimed at stealing credentials from Russian adversaries,” explained Moses.
“APT29 sent the Ukrainian language phishing emails to significantly more targets than their typical, narrowly targeted approach.”
With the U.S. presidential race in its final stretch, experts believe it is likely we will see a surge in attacks ahead of the Nov. 5 elections. Russian government-backed hacking groups have a long history of targeting U.S. elections in hopes of destabilizing the country and tipping the scales in favor of their preferred candidates. Officials in the U.S. recently warned that Russian backed groups are already stepping up their disinformation efforts ahead of the election.
