Amazon seizes domains used by Russian hackers to target Windows systems

Midnight Blizzard found impersonating AWS in attacks against governments and military

News By Sead Fadilpašić published 28 October 2024

Amazon has seized a number of internet domains used by Russian hackers to launch phishing attacks.

In a blog post, CJ Moses, Chief Information Security Officer at Amazon, said a Russian state-sponsored threat actor known as Midnight Blizzard (AKA APT29) was spotted running a large-scale phishing attack against government agencies, enterprises, and militaries.

The attacks were impersonating Amazon Web Services (AWS), the retail giant’s cloud arm, with phishing emails written in the Ukrainian language.

Midnight Blizzard attacks

The goal of the campaign was not to target AWS, or to steal AWS credentials from the victims, Moses noted - instead, Midnight Blizzard was looking for Windows credentials to use through Microsoft Remote Desktop.

“Upon learning of this activity, we immediately initiated the process of seizing the domains APT29 was abusing which impersonated AWS in order to interrupt the operation,” Moses added. “CERT-UA has issued an advisory with additional details on their work.”

CERT-UA is the Computer Emergency Response Team of Ukraine, a specialized structural unit of the State Center for Cyber Defense of the State Service for Special Communications and Information Protection of Ukraine.

You may remember Midnight Blizzard as the threat actor behind the famed Microsoft attack that forced the company to completely revamp its security policies.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors