Attackers used fake AWS domains in phishing campaign

Security researchers from the AWS Security Team have stopped a phishing campaign in which thousands of fake AWS domains were used. Amazon has shut down domains en masse since the campaign was discovered. The AWS security researchers and the Computer Emergency Response Team of Ukraine, CERT-UA, are accusing the Russian cybercriminal group APT29. The attackers were attempting to capture login data from Ukrainian-speaking targets using the fake AWS domains.

Ukrainian targets in their sights

The fake AWS URLs were apparently used as bait. After clicking on the link of such a URL, victims landed on a malware download page that installs a so-called RDP Trojan that steals login credentials from Windows systems.

Amazon's Chief Information Security Officer CJ Moses wrote in a post on LinkedIn that Amazon itself was not targeted by the attackers. The attacks were also not aimed at the login data of AWS customers. Instead, the attackers targeted targets with connections to government agencies, businesses and the Ukrainian military. According to the AWS CISO, the group's approach in this case is not in line with its usual behavior: APT29 usually took a more narrow approach – this time the phishing emails were sent to many targets.

The Ukrainian CERT has published an advisory with further details on the case. Cybercrime plays a role on both sides in Russia's war against Ukraine. In June, for example, the Ukrainian authorities arrested people they suspected of cybercrime who were allegedly acting on behalf of Russian clients. And according to a report by the Russian news agency Ria Novosti, Russia is apparently aiming to create a cyber security authority.

(kst)