Overview

• Amazon says it isolated affected EC2 instances and worked with Cloudflare and Microsoft to cut off attacker-controlled domains.
• Roughly 10% of visitors to compromised websites were redirected, a low rate that helped the operators avoid easy detection.
• The malicious JavaScript used obfuscation and base64 encoding, with cookies set to prevent repeated redirects for the same user.
• Attacker infrastructure included domains such as findcloudflare[.]com and cloudflare[.]redirectpartners[.]com that imitated verification pages.
• Amazon reported no compromise of AWS systems or services, and its analysts assess APT29 is scaling operations to reach beyond traditional government targets.