A hacker group associated with a Russian intelligence agency has been targeting Ukrainian state and military services, as well as industrial enterprises, in a new espionage campaign, researchers have found.

The goal of the latest attacks, attributed to APT29 hackers, was likely to steal credentials from its victims, according to a report published Thursday by Amazon Web Services (AWS).

APT29, also known as Cozy Bear, BlueBravo and Midnight Blizzard, is allegedly housed within Russia’s Foreign Intelligence Service (SVR). The group has been implicated in several of the most significant cyberattacks of the last decade — including the 2020 SolarWinds breach and the 2016 attack on the Democratic National Committee.

In the latest campaign, first detected by Ukraine’s computer emergency response team (CERT-UA), the threat actor used malicious emails disguised to appear as if they were sent from Amazon or Microsoft to compromise targeted devices.

Researchers said the attacks could allow hackers to access victims’ disks, network resources, printers, audio devices, clipboard and other local resources. The group could also use this access to launch third-party programs or scripts on victims' computers, CERT-UA reported.

Ukraine has not officially attributed this campaign to APT29 but said the attacks have “a wide geographical scope.” CERT-UA noted that the threat actor has likely been preparing infrastructure for this campaign since at least August.

AWS said it based its attribution of the attacks to Russian hackers on CERT-UA’s recent findings. According to the company, some domain names used by the hackers were designed to trick targets into believing they were legitimate AWS domains.

“But Amazon wasn’t the target, nor was the group after AWS customer credentials,” the researchers explained, adding that APT29 sought to obtain Windows credentials from victims through Microsoft Remote Desktop.

APT29 employed different tactics than usual, according to AWS: The hackers sent phishing emails to far more targets than their “typical, narrowly focused approach.”

“Upon learning of this activity, we immediately began the process of seizing the domains APT29 was abusing, which impersonated AWS, to disrupt the operation,” AWS said.

As with many Russian espionage campaigns targeting Ukraine, the full impact remains difficult to assess. It is unclear whether the hackers obtained any valuable data or how they might use it if they did.

On Friday, Ukraine warned of another cyberattack targeting its enterprises, attributed — “with an average level of confidence” — to the Russian state-sponsored hacker group APT28, also known as Fancy Bear.

In this campaign, the hackers attempted to compromise local government agencies using Google’s reCAPTCHA service, which helps websites distinguish between human users and automated bots. 

The goal of the attacks was to steal authentication credentials and other sensitive data from Chrome, Edge and Opera browsers and install Metasploit software on victims' devices, CERT-UA said.

Metasploit is an open-source penetration testing framework used by security professionals and ethical hackers to identify, test and validate vulnerabilities. However, it can be abused by hackers to exploit known flaws in victims’ systems, harvest credentials, elevate privileges and maintain access to the network.