Amazon has announced that it has successfully disrupted a sophisticated cyber campaign orchestrated by the Russian-linked threat actor group, APT29, also known as Nobelium or Cozy Bear. The campaign leveraged a watering hole technique and a clever abuse of Microsoft’s device code authentication to compromise a small number of Google Workspace accounts. This swift action by Amazon’s security team prevented a potentially much larger breach and provided a crucial warning to the cybersecurity community.
According to a detailed report from Amazon, the attackers used compromised websites to redirect visitors to malicious infrastructure. Once on the fake site, users were tricked into authorizing an attacker-controlled device through Microsoft’s device code authentication process. This process, designed to simplify logins on devices without a keyboard, was exploited to grant the attackers persistent access to the victims’ email accounts. The campaign, which was a part of APT29’s ongoing intelligence-gathering efforts, successfully accessed email from a small number of Google Workspace accounts on August 9, 2025.
The use of device code authentication as an attack vector highlights a growing trend among advanced persistent threat (APT) groups to target legitimate, but often overlooked, authentication mechanisms. This method allows them to bypass traditional two-factor authentication (2FA) and other security controls, making their attacks harder to detect. The campaign’s focus on intelligence gathering, rather than data theft for financial gain, also underscores the strategic nature of these operations, which often precede or support larger geopolitical objectives.
Amazon’s proactive disruption of this campaign is a testament to the importance of real-time threat intelligence and cross-industry collaboration. The company’s quick response not only contained the damage but also provided valuable insights into the adversary’s tactics, techniques, and procedures. This information, shared with other industry partners and law enforcement, will be critical in strengthening global defenses against similar attacks. The incident serves as a stark reminder that even well-defended platforms are not immune to highly motivated and resourceful state-sponsored actors.
