#apt29

Flemming Leer Jakobsen 🇺🇦🇵🇸🇺🇳🇳🇦

@flemmingleer.bsky.social

2 weeks ago

The Internet Was Weeks Away From Disaster and No One Knew YouTube video by Veritasium

🚨 #Internet var uger fra at bryde totalt sammen igennem #Linux #Fedora bagdør.
#APT29 #hacking
Softwaren styrer servere, banker, mobiler & statslige it. #OpenSource

Det blev opdaget ved en tilfældighed af en tysk programmør #AndresFreund ( #postgresql) fra #Microsoft.
youtu.be/aoag03mSuXQ?...

MalWhere?

@malwhere.bsky.social

1 month ago

The APTs That Defined 2025 How State-Aligned Threat Actors Shaped the Global Cyber Battlefield

The APTs That Defined 2025 open.substack.com/pub/malwhere...

#APT #China #Russia #DPRK #Iran #ThreatIntel #CyberSecurity #SaltTyphoon #FlaxTyphoon #MustangPanda #APT17 #APT28 #APT29 #Sandworm #LazarusGroup #Kimsuky #APT42

Manish_SOC_Analyst

@manish-rawat.bsky.social

1 month ago

Catching APT29’s Favorite Evasion Trick: Detecting DLL Sideloading with Sigma (T1574.002) A multi-tiered detection strategy to uncover one of the stealthiest persistence techniques used by nation-state threat actors.

I just published Catching APT29’s Favorite Evasion Trick: Detecting DLL Sideloading with Sigma (T1574.002) devsecopsai.today/catching-apt...

#Cybersecurity #CISO #APT29 #Sigma #Evasion #Published #Detection #Threat #Medium #Blog #Bluesky #bsky #Analysis

Manish_SOC_Analyst

@manish-rawat.bsky.social

1 month ago

How I Built a Sigma Detection Rule to Catch APT29’s Encoded PowerShell Attacks A deep dive into threat hunting methodology, detection engineering, and building effective defenses against nation-state adversaries

I just published How I Built a Sigma Detection Rule to Catch APT29’s Encoded PowerShell Attacks systemweakness.com/how-i-built-...

#Apt29 #Cybersecurity #ThreatHunting #Threat #Hunting #SIGMA #Sysmon #Medium #Blog #Bluesky #CISO #CTO

Negative PID

@negativepid.bsky.social

2 months ago

Cyber warfare groups: APT29 (Cozy Bear) - PID Perspectives APT29 is a cyber unit that operates behind the world’s most powerful governments. Their intrusions rarely make headlines because, unlike other groups, they

They're called "cozy" because they're in no hurry: once they enter a system, they stay there for months undetected, gathering intel from sensitive targets. This is how Russia spies on the West.

#APT29 #cozyBear #espionage #Russia #cyberwarfare

iT4iNT SERVER

@it4intserver.bsky.social

3 months ago

SEC Drops SolarWinds Case After Years of High-Stakes Cybersecurity Scrutiny The U.S. Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer, alleging that the company had misled investors about the security practices that led to the 2020 supply chain attack. In a joint motion filed November 20, 2025, the SEC, along with SolarWinds and its CISO Timothy G. Brown, asked the court to voluntarily

iT4iNT SERVER SEC Drops SolarWinds Case After Years of High-Stakes Cybersecurity Scrutiny VDS VPS Cloud #Cybersecurity #SolarWinds #SEC #SupplyChainAttack #APT29

AlphaHunt Converge

@alphahunt.io

4 months ago

Russian APTs: OAuth Abuse, RDP Phish, and Takedowns Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest…

APT29 shopped the OAuth device-code aisle and served .RDP phish 🎣 Amazon/Microsoft/Cloudflare cut the power—temporarily. Upgrade MFA 🔒 choke consent, fence RDP.

Curious? Tap in now and subscribe for the next move.

blog.alphahunt.io/russian-apts...

#AlphaHunt #CyberSecurity #APT29 #InfoSec

AlphaHunt Converge

@alphahunt.io

4 months ago

Russian APTs: OAuth Abuse, RDP Phish, and Takedowns Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest…

OAuth is the new skeleton key: Russian APTs consent-grab, RDP-phish, and shrug off takedowns. 🔐🇷🇺 Get the playbook—and a risk edge—before they log in as you.

Read more + subscribe -> blog.alphahunt.io/russian-apts...

#AlphaHunt #CyberSecurity #APT29 #OAuth

AlphaHunt Converge

@alphahunt.io

4 months ago

Russian APTs: OAuth Abuse, RDP Phish, and Takedowns Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest…

Russian APTs moved from love letters to .rdp lures and device-code OAuth theft—then Amazon/Microsoft/Cloudflare pulled the plug. 🔌🛡️ Log tells + quick wins inside: blog.alphahunt.io/russian-apts...

#AlphaHunt #CyberSecurity #APT29 #OAuth

AlphaHunt Converge

@alphahunt.io

4 months ago

“Approve to own yourself.” APT29 hijacked device-code OAuth and booby-trapped .rdp—until Amazon/Microsoft/Cloudflare yanked the cord. Kill legacy auth, go FIDO2, govern consent. Read more 👀

#AlphaHunt #CyberSecurity #APT29

AlphaHunt Converge

@alphahunt.io

5 months ago

Russian APTs: OAuth Abuse, RDP Phish, and Takedowns Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest…

Russian APTs didn’t “hack” in—OAuth held the door while a “helpful” .rdp arrived. Then Amazon/Microsoft/Cloudflare played whack‑a‑mole with takedowns. 🔐⚡

Get the playbook—subscribe: -> blog.alphahunt.io/russian-apts...

#AlphaHunt #CyberSecurity #APT29 #InfoSec

AlphaHunt Converge

@alphahunt.io

5 months ago

Russian APTs: OAuth Abuse, RDP Phish, and Takedowns Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest…

Cozy Bear’s new trick: fake device-code popups. The clouds tag-teamed the takedown. Watch for app-consent spikes + weird device-code grants, then kill legacy auth. Breakdown 🔐🧹

#AlphaHunt #CyberSecurity #APT29 #CloudSecurity

AlphaHunt Converge

@alphahunt.io

6 months ago

Cozy Bear moved from “.rdp phish” to “fake device-code popups.” The clouds finally played defense together. Check device-code grants + app consents—then kill legacy auth. 🔐🧹
👇 blog.alphahunt.io/russian-apts...

Read & subscribe for detections. #AlphaHunt #CyberSecurity #APT29

2rZiKKbOU3nTafniR2qMMSE0gwZ

@2rzikkbou3ntafnir2qmmse0gwz.activitypub.awakari.com.ap.brid.gy

6 months ago

Amazon Disrupts Russian Hacking Campaign Targeting Microsoft Users The Midnight Blizzard cyberspies used compromised websites to trick users into authorizing devices they controlled. The post Amazo...

#Cloud #Security #Identity #& #Access #APT29 #Cozy #Bear […]

[Original post on securityweek.com]

CITechRPM == VITechRPM

@aitechrpm.bsky.social

6 months ago

Amazon disrupts watering hole campaign by Russia’s APT29 aka Cozy Bear

aws.amazon.com/blogs/securi...

#CyberSecurity #NationState #Putin #APT29 #CozyBear

Hackread.com

@hackread.bsky.social

6 months ago

Amazon Disrupts Russian APT29 Watering Hole Targeting Microsoft Authentication Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Amazon has disrupted a Russian #APT29 watering hole campaign that used compromised websites to target Microsoft’s device code authentication.

Read: hackread.com/amazon-disru...

#CyberSecurity #CyberAttack #Russia #Amazon #Microsoft

ReconBee

@reconbee.bsky.social

6 months ago

Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication Ukrainian companies read more about Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication

Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication reconbee.com/amazon-disru...

#Amazon #APT29 #wateringholecampaign #microsoft #authentication #cyberattack

@matricedigitale.bsky.social

6 months ago

Amazon ferma campagna watering-hole di APT29: redirect offuscati imitano la verifica Microsoft, blocco domini con Cloudflare e Microsoft.

#Amazon #apt29 #Microsoft #wateringhole
www.matricedigitale.it/2025/08/31/a...

ransomNews

@ransomnews.online

6 months ago

⚠️ APT29’s watering hole trick uncovered

#Amazon disrupted a watering‑hole campaign by Russia’s #APT29, who hijacked legitimate websites to redirect 10% of visitors into a malicious #Microsoft device‑code auth flow, tricking them into granting unauthorized access.

#ransomNews #APT29 #AuthPhishing

YourAnonRiots 🐈️🏴🇵🇸🇲🇲🦋

@youranonriots.bsky.social

6 months ago

Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication Amazon disrupted APT29’s June 2025 campaign exploiting Microsoft device code authentication, redirecting 10% of visitors to malicious domains.

Russia’s #APT29 hacked legit websites—secretly redirecting ~10% of visitors into fake “Cloudflare” pages to hijack Microsoft accounts.

Amazon flagged and disrupted the campaign, but the group quickly spun up new domains. #CyberSecurity thehackernews.com/2025/08/amaz...

The Daily Tech Feed

@thedailytechfeed.com

6 months ago

Amazon disrupts APT29's latest cyber espionage campaign exploiting Microsoft's device code authentication. Stay vigilant against evolving threats. #CyberSecurity #APT29 #Phishing #AmazonSecurity Link: thedailytechfeed.com/amazon-thwar...

CySecurity News

@cysecuritynews.bsky.social

8 months ago

Russian Threat Actors Circumvent Gmail Security with App Password Theft   As part of Google's Threat Intelligence Group (GTIG), security researchers discovered a highly sophisticated cyber-espionage campaign orchestrated by Russian threat actors. They succeeded in circumventing Google's multi-factor authentication (MFA) protections for Gmail accounts by successfully circumventing it.  A group of researchers found that the attackers used highly targeted and convincing social engineering tactics by impersonating Department of State officials in order to establish trust with their victims in the process. As soon as a rapport had been built, the perpetrators manipulated their victims into creating app-specific passwords.  These passwords are unique 16-character codes created by Google which enable secure access to certain applications and devices when two-factor authentication is enabled. As a result of using these app passwords, which bypass conventional two-factor authentication, the attackers were able to gain persistent access to sensitive emails through Gmail accounts undetected.  It is clear from this operation that state-sponsored cyber actors are becoming increasingly inventive, and there is also a persistent risk posed by seemingly secure mechanisms for recovering and accessing accounts. According to Google, this activity was carried out by a threat cluster designated UNC6293, which is closely related to the Russian hacking group known as APT29. It is believed that UNC6293 has been closely linked to APT29, a state-sponsored hacker collective.  APT29 has garnered attention as one of the most sophisticated and sophisticated Advanced Persistent Threat (APT) groups sponsored by the Russian government, and according to intelligence analysts, that group is an extension of the Russian Foreign Intelligence Service (SVR). It is important to note that over the past decade this clandestine collective has orchestrated a number of high-profile cyber-espionage campaigns targeting strategic entities like the U.S. government, NATO member organizations, and prominent research institutes all over the world, including the U.S. government, NATO, and a wide range of academic institutions.  APT29's operators have a reputation for carrying out prolonged infiltration operations that can remain undetected for extended periods of time, characterised by their focus on stealth and persistence. The tradecraft of their hackers is consistently based on refined social engineering techniques that enable them to blend into legitimate communications and exploit the trust of their intended targets through their tradecraft.  By crafting highly convincing narratives and gradually manipulating individuals into compromising security controls in a step-by-step manner, APT29 has demonstrated that it has the ability to bypass even highly sophisticated technical defence systems. This combination of patience, technical expertise, and psychological manipulation has earned the group a reputation as one of the most formidable cyber-espionage threats associated with Russian state interests.  A multitude of names are used by this prolific group in the cybersecurity community, including BlueBravo, Cloaked Ursa, Cosy Bear, CozyLarch, ICECAP, Midnight Blizzard, and The Dukes. In contrast to conventional phishing campaigns, which are based on a sense of urgency or intimidation designed to elicit a quick response, this campaign unfolded in a methodical manner over several weeks.  There was a deliberate approach by the attackers, slowly creating a sense of trust and familiarity with their intended targets. To make their deception more convincing, they distributed phishing emails, which appeared to be official meeting invitations that they crafted. Often, these messages were carefully constructed to appear authentic and often included the “@state.gov” domain as the CC field for at least four fabricated email addresses.  The aim of this tactic was to create a sense of legitimacy around the communication and reduce the likelihood that the recipients would scrutinise it, which in turn increased the chances of the communication being exploited effectively. It has been confirmed that the British writer, Keir Giles, a senior consulting fellow at Chatham House, a renowned global affairs think tank, was a victim of this sophisticated campaign.  A report indicates Giles was involved in a lengthy email correspondence with a person who claimed to be Claudia S Weber, who represented the U.S. Department of State, according to reports. More than ten carefully crafted messages were sent over several weeks, deliberately timed to coincide with Washington's standard business hours. Over time, the attacker gradually gained credibility and trust among the people who sent the messages.  It is worth noting that the emails were sent from legitimate addresses, which were configured so that no delivery errors would occur, which further strengthened the ruse. When this trust was firmly established, the adversary escalated the scheme by sending a six-page PDF document with a cover letter resembling an official State Department letterhead that appeared to be an official State Department document.  As a result of the instructions provided in the document, the target was instructed to access Google's account settings page, to create a 16-character app-specific password labelled "ms.state.gov, and to return the code via email under the guise of completing secure onboarding. As a result of the app password, the threat actors ended up gaining sustained access to the victim's Gmail account, bypassing multi-factor authentication altogether as they were able to access their accounts regularly.  As the Citizen Lab experts were reviewing the emails and PDF at Giles' request, they noted that the emails and PDF were free from subtle language inconsistencies and grammatical errors that are often associated with fraudulent communications. In fact, based on the precision of the language, researchers have suspected that advanced generative AI tools have been deployed to craft polished, credible content for the purpose of evading scrutiny and enhancing the overall effectiveness of the deception as well.  There was a well-planned, incremental strategy behind the attack campaign that was specifically geared towards increasing the likelihood that the targeted targets would cooperate willingly. As one documented instance illustrates, the threat actor tried to entice a leading academic expert to participate in a private online discussion under the pretext of joining a secure State Department forum to obtain his consent. In order to enable guest access to Google's platform, the victim was instructed to create an app-specific password using Google's account settings. In fact, the attacker used this credential to gain access to the victim's Gmail account with complete control over all multi-factor authentication procedures, enabling them to effectively circumvent all of the measures in place.  According to security researchers, the phishing outreach was carefully crafted to look like a routine, legitimate onboarding process, thus making it more convincing. In addition to the widespread trust that many Americans place in official communications issued by U.S. government institutions, the attackers exploited the general lack of awareness of the dangers of app-specific passwords, as well as their widespread reliance on official communications.  A narrative of official protocol, woven together with professional-sounding language, was a powerful way of making the perpetrators more credible and decreasing the possibility of the target questioning their authenticity in their request. According to cybersecurity experts, several individuals who are at higher risk from this campaign - journalists, policymakers, academics, and researchers - should enrol in Google's Advanced Protection Program (APP).  A major component of this initiative is the restriction of access to only verified applications and devices, which offers enhanced safeguards. The experts also advise organisations that whenever possible, they should disable the use of app-specific passwords and set up robust internal policies that require any unusual or sensitive requests to be verified, especially those originating from reputable institutions or government entities, as well as implement robust internal policies requiring these types of requests.  The intensification of training for personnel most vulnerable to these prolonged social engineering attacks, coupled with the implementation of clear, secure channels for communication between the organisation and its staff, would help prevent the occurrence of similar breaches in the future. As a result of this incident, it serves as an excellent reminder that even mature security ecosystems remain vulnerable to a determined adversary combining psychological manipulation with technical subterfuge when attempting to harm them.  With threat actors continually refining their methods, organisations and individuals must recognise that robust cybersecurity is much more than merely a set of tools or policies. In order to combat cyberattacks as effectively as possible, it is essential to cultivate a culture of vigilance, scepticism, and continuous education. In particular, professionals who routinely take part in sensitive research, diplomatic relations, or public relations should assume they are high-value targets and adopt a proactive defence posture.  Consequently, any unsolicited instructions must be verified by a separate, trusted channel, hardware security keys should be used to supplement authentication, and account settings should be reviewed regularly for unauthorised changes. For their part, institutions should ensure that security protocols are both accessible and clearly communicated as they are technically sound by investing in advanced threat intelligence, simulating sophisticated phishing scenarios, and investing in advanced threat intelligence.  Fundamentally, resilience against state-sponsored cyber-espionage is determined by the ability to plan in advance not only how adversaries are going to deploy their tactics, but also the trust they will exploit in order to reach their goals.

Russian Threat Actors Circumvent Gmail Security with App Password Theft #APT29 #CyberCrime #Cybersecurity

YourAnonRiots 🐈️🏴🇵🇸🇲🇲🦋

@youranonriots.bsky.social

8 months ago

Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign Russian hackers used Gmail app passwords and fake State Dept. emails to access inboxes of academics.

Russian APT29 hackers hijacked Gmail accounts using app passwords—bypassing 2FA with social engineering.

They posed as the U.S. State Dept to steal access from academics and critics. #APT29 #CyberAlerts thehackernews.com/2025/06/russ...

@matricedigitale.bsky.social

8 months ago

Attacchi russi alle app-specific password di Google e Apple: phishing avanzato, rischi per giornalisti e attivisti, contromisure tecniche.

#apple #apt29 #autenticazione #Google #phishing #Russia #SocialEngineering
www.matricedigitale.it/2025/06/19/a...

@matricedigitale.bsky.social

8 months ago

Attacchi russi alle app-specific password di Google e Apple: phishing avanzato, rischi per giornalisti e attivisti, contromisure tecniche.

#apple #apt29 #autenticazione #Google #phishing #Russia #SocialEngineering
www.matricedigitale.it/2025/06/19/a...

John Scott-Railton

@jsrailton.bsky.social

8 months ago

8/ Who targeted @keirgiles.bsky.social ? Enter the Google
Threat Intelligence Group w/analysis & attribution!

Great!

Our bad actors are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.

Google adds bonus additional low confidence association to #APT29 (that would be the #SVR).

Nice people.