Amazon has disrupted a campaign by Russian state-linked hackers that used compromised websites to trick users into granting cloud access through Microsoft’s Device Code Flow. On August 29, Amazon’s threat intelligence team said the group known as APT29, or Midnight Blizzard, injected obfuscated JavaScript into legitimate sites, redirecting around 10% of visitors to fake pages resembling Cloudflare checks. Victims were then misled into “authorizing” attacker-controlled devices, effectively handing over access to their email and files in the cloud.
Evolution of Russian cyber espionage tactics
The disruption marks a new phase in APT29’s evolution. Instead of breaching endpoints directly, the group increasingly manipulates users into legitimizing attacks, maintaining persistent access to Microsoft 365 and other ecosystems. Microsoft previously confirmed Midnight Blizzard infiltrated its corporate network in 2024, while Google and Citizen Lab documented phishing campaigns where victims were coerced into generating application passwords for Gmail accounts. These methods point to a systematic reliance on social engineering against U.S. government agencies, NGOs, academic institutions and media.
Risks for U.S. institutions and elections
The model of diverting traffic from legitimate sites poses significant risks for organizations involved in policy-making and civic life. Regional media, universities, charities and research centers serve as “transit” targets that, while not directly tied to voting infrastructure, provide valuable entry points for espionage. By harvesting email accounts, contact lists and calendars, attackers can set the stage for more targeted intrusions and influence operations. Analysts warn that Washington must treat such activity as hybrid interference, not mere cybercrime.
Industry and policy response
APT29’s use of Cloudflare-like pages and abuse of Microsoft’s device authentication flow underscores broader vulnerabilities in cloud authentication. Experts argue that risky login methods should be disabled by default, OAuth applications tightly monitored, and lookalike domains swiftly removed. Amazon’s public exposure of these schemes, following a similar action in 2024, highlights the role of tech companies in countering state-sponsored espionage. U.S. policymakers are urged to complement defensive measures with diplomatic and sanctions-based responses, targeting both the operators and service providers enabling these campaigns. The message to Moscow: cyber espionage carries escalating political and economic costs.
