Software security

Amazon Disrupts Russian APT29 Credential Theft Operation

Amazon disrupts APT29's credential theft campaign using fake Cloudflare pages, urging review of Microsoft's device code authentication.

By Content Team

Sep 3, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Amazon's threat intelligence team successfully disrupted a sophisticated credential theft campaign by APT29, the Russian intelligence-linked hacking group behind the 2020 SolarWinds attack. The operation compromised legitimate websites to inject malicious code that redirected 10% of visitors to fake Cloudflare verification pages.

Once there, users were tricked into entering email addresses and authorizing attackers' devices to access their Microsoft accounts through a rare "device code authentication" technique. APT29 used Amazon EC2 instances and other cloud infrastructure to blend with legitimate traffic.

Despite the group's attempts to migrate infrastructure after detection, Amazon continued tracking and disrupting their operations. Security experts recommend organizations review Microsoft's device authentication guidance and consider disabling the feature if unnecessary.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Instagram Denies Data Breach After Mass Password Reset Emails Spark User Confusion

Jan 13, 2026

Saudi Arabia Ordered to Pay £3m to London Dissident Over Pegasus Spying

Jan 29, 2026

Pennsylvania Community College Shuts Down After Ransomware Attack Encrypts All Data

Mar 13, 2026

Cheshire School Closes After Ransomware Attack

Jan 18, 2026