CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Amazon Disrupts GRU-Affiliated APT44 Campaign Targeting Critical Infrastructure

First reported
Last updated
4 unique sources, 10 articles

Summary

Hide ▲

Amazon has disrupted a years-long Russian state-sponsored campaign targeting Western critical infrastructure, including energy sector organizations and cloud-hosted network infrastructure. The campaign, attributed to the GRU-affiliated APT44 group, initially leveraged vulnerabilities in WatchGuard Firebox and XTM, Atlassian Confluence, and Veeam to gain initial access. However, starting in 2025, APT44 shifted its tactics to target misconfigured network edge devices, reducing their exposure and resource expenditure. The group targeted enterprise routers, VPN concentrators, network management appliances, and cloud-based project management systems to harvest credentials and establish persistent access. Amazon's intervention led to the disruption of the campaign, highlighting the ongoing threat posed by state-sponsored cyber actors. APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, has been active since at least 2021. The group exploited vulnerabilities in WatchGuard Firebox and XTM (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) to compromise network edge devices. The campaign involved credential replay attacks and targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. Amazon's threat intelligence team identified and notified affected customers, disrupting active threat actor operations. Additionally, APT28, another GRU-affiliated group, has been conducting a sustained credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The campaign, observed between June 2024 and April 2025, involves deploying UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and 2FA codes. Links to these pages are embedded within PDF documents distributed via phishing emails, often shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, APT28 uses subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain leading to the credential harvesting page. The campaign is part of a broader set of phishing and credential theft operations targeting various institutions in pursuit of Russia's strategic objectives. APT28's recent campaign targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution.

Timeline

  1. 09.01.2026 09:00 1 articles · 4d ago

    APT28 targets organizations in Balkans, Middle East, and Central Asia

    APT28 conducted a credential-harvesting campaign targeting specific organizations in the Balkans, the Middle East, and Central Asia. The campaign involved phishing emails themed to match the intended targets and written in their native tongues. Victims were redirected to login pages mimicking legitimate online services after following links in the phishing emails. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives.

    Show sources
    Open in new tab
  2. 17.12.2025 17:30 4 articles · 26d ago

    APT28 conducts sustained credential-harvesting campaign targeting UKR[.]net users

    APT28 targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution.

    Show sources
    Open in new tab
  3. 16.12.2025 14:27 5 articles · 27d ago

    APT44 targets Western critical infrastructure with misconfigured network edge devices

    The campaign targeted critical organizations in North America, Europe, and the Middle East, with a notable focus on the energy sector. Attackers targeted enterprise routers, routing infrastructure, VPN concentrators, network management appliances, collaboration platforms, and cloud-based project management systems. The shift toward targeting misconfigured network edge devices began gradually between 2021 and 2025. In 2021, the threat cluster exploited WatchGuard flaw CVE-2022-26318. Between 2022 and 2023, threat actors targeted Confluence vulnerabilities CVE-2021-26084 and CVE-2023-22518. In 2024, attackers targeted Veeam flaw CVE-2023-27532. The primary credential extraction mechanism appeared to be packet capture and traffic analysis. Amazon identified and notified customers with compromised network appliances, enabled remediation of compromised EC2 resources, shared intelligence with partners and affected vendors, and reported observations to network appliance vendors.

    Show sources
    Open in new tab
  4. 29.08.2025 16:22 2 articles · 4mo ago

    Amazon disrupts APT29 watering hole campaign targeting Microsoft device code authentication

    The campaign targeted Microsoft 365 accounts and data. APT29 has previously targeted European embassies, Hewlett Packard Enterprise, and TeamViewer. Amazon's threat intelligence team discovered the domain names used in the watering hole campaign. The campaign used a cookie-based system to prevent the same user from being redirected multiple times. Amazon isolated the EC2 instances used by the threat actor and partnered with Cloudflare and Microsoft to disrupt the identified domains. APT29 attempted to move its infrastructure to another cloud provider and registered new domain names. The campaign reflects an evolution in APT29's technical approach, no longer relying on domains that impersonate AWS or social engineering attempts to bypass multi-factor authentication (MFA).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Organizations are advised to strengthen OAuth controls and train users to avoid entering device codes from untrusted sources. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

Open in new tab

Russian GRU Shifts Tactics to Target Misconfigured Edge Devices in Western Critical Infrastructure

A Russian state-sponsored threat actor, attributed to the GRU, has shifted its tactics from exploiting vulnerabilities to targeting misconfigured customer network edge devices. The campaign, active since 2021, primarily targets energy sector organizations and critical infrastructure providers in Western nations. The shift in tactics allows the group to maintain persistent access, harvest credentials, and move laterally within victim networks while reducing exposure and resource expenditure.

Open in new tab

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S. and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, and energy systems, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts.

Open in new tab

Iranian APT Phishing Campaign Targets US Think Tanks

Between June and August 2025, an Iranian advanced persistent threat (APT) group, tentatively named UNK_SmudgedSerpent, conducted targeted phishing attacks against prominent US think tanks and policy experts. The campaign impersonated influential figures in US foreign policy, including Suzanne Maloney and Patrick Clawson, to steal credentials and deploy remote monitoring and management (RMM) software. The group's tactics, techniques, and procedures (TTPs) overlapped with multiple known Iranian APTs, suggesting possible reorganization or collaboration within Iranian cyber operations. The phishing attempts involved impersonating key figures in US policy discussions on Iran, using tailored emails to lure targets into clicking malicious links. The group used a combination of techniques reminiscent of multiple Iranian APTs, including TA453 (Charming Kitten) and TA455 (Smoke Sandstorm), and deployed RMM software, a tactic previously associated with TA450 (MuddyWater). The campaign targeted over 20 subject matter experts at a U.S.-based think tank and used decoy documents and zip files containing RMM installers. The attackers also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute, and used spoofed login pages to harvest Microsoft account credentials. The group's activity was observed to have paused, but concerns persist due to the tactical overlap with known Iranian APTs. The group's tactics and infrastructure suggest possible personnel movement or shared infrastructure procurement between Iranian contracting outfits.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky has been linked to a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection. Additionally, Kimsuky is targeting organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The group is using QR codes in phishing campaigns, a technique known as 'quishing,' to redirect victims to malicious locations disguised as questionnaires, secure drives, or fake login pages. The FBI has warned about Kimsuky's use of malicious QR codes in spear-phishing campaigns targeting entities in the U.S., highlighting the group's history of subverting email authentication protocols and exploiting improperly configured DMARC record policies.

Open in new tab