Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ============================================================================================================================================================= [Suspected Earth Koshchei infrastructure hosting the actual rogue RDP servers (low confidence)] ============================================================================================================================================================= [Hostname] [IP address] [Not before] [Not after] DC.SUN.LOCAL 185.243.114.9 26/09/2024 28/03/2024 DC.CHAIN.LOCAL 5.187.49.186 29/09/2024 31/03/2025 DC.FINISH.LOCAL 103.144.139.254 29/09/2024 31/03/2025 DC.FIRE.LOCAL 185.177.126.225 29/09/2024 31/03/2025 DC.GEAR.LOCAL 185.100.234.105 29/09/2024 31/03/2025 DC.GEO.LOCAL 45.137.21.10 29/09/2024 31/03/2025 DC.HERO.LOCAL 185.243.112.24 29/09/2024 31/03/2025 DC.KATANA.LOCAL 185.243.115.124 29/09/2024 31/03/2025 DC.KEY.LOCAL 45.86.162.170 29/09/2024 31/03/2025 DC.LAND.LOCAL 46.30.189.91 29/09/2024 31/03/2025 DC.LIMBO.LOCAL 175.110.112.221 29/09/2024 31/03/2025 DC.MARBLE.LOCAL 92.204.164.50 29/09/2024 31/03/2025 DC.MAY.LOCAL 103.144.139.73 29/09/2024 31/03/2025 DC.MAY.LOCAL 103.144.139.74 29/09/2024 31/03/2025 DC.OCEAN.LOCAL 185.172.39.220 29/09/2024 31/03/2025 DC.OFFICE.LOCAL 5.183.95.158 29/09/2024 31/03/2025 DC.SAINT.LOCAL 175.110.114.9 29/09/2024 31/03/2025 DC.TIGER.LOCAL 46.30.189.62 29/09/2024 31/03/2025 DC.VIPER.LOCAL 195.3.220.48 29/09/2024 31/03/2025 DC.AIR.LOCAL 46.30.188.187 08/10/2024 09/04/2025 DC.BACON.LOCAL 178.255.43.30 08/10/2024 09/04/2025 DC.BLACK.LOCAL 104.161.58.10 08/10/2024 09/04/2025 DC.GREEN.LOCAL 5.183.95.240 08/10/2024 09/04/2025 DC.HALLWAY.LOCAL 37.28.153.214 08/10/2024 09/04/2025 DC.COLA.LOCAL 45.82.66.39 09/10/2024 10/04/2025 DC.FINISH.LOCAL 103.144.139.253 09/10/2024 10/04/2025 DC.PANDA.LOCAL 193.29.56.221 09/10/2024 10/04/2025 DC.HDHP.LOCAL 162.216.243.210 11/10/2024 12/04/2025 DC.EAGLE.LOCAL 141.195.117.126 17/10/2024 18/04/2025 DC.EAGLE.LOCAL 141.195.117.127 17/10/2024 18/04/2025 DC.EAGLE.LOCAL 141.195.117.128 17/10/2024 18/04/2025 DC.EAGLE.LOCAL 141.195.117.129 17/10/2024 18/04/2025 DC.KIWI.LOCAL 172.86.73.187 17/10/2024 18/04/2025 DC.MAIN.LOCAL 155.138.238.169 17/10/2024 18/04/2025 DC.TRACK.LOCAL 37.28.157.246 17/10/2024 18/04/2025 DC.BOB.LOCAL 185.187.155.69 18/10/2024 19/04/2025 DC.STAR.LOCAL 66.206.13.130 19/10/2024 20/04/2025 DC.HAMMER.LOCAL 185.172.39.230 20/10/2024 21/04/2025 DC.SONIC.LOCAL 45.137.21.11 20/10/2024 21/04/2025 ============================================================================================================================================================= [Earth Koshchei domain names (medium confidence). Likely acting as an RDP relay to backend RDP servers controlled by Earth Koshchei.] ============================================================================================================================================================= [Domain] [IP address] gov-au.cloud 45.11.230.105 ua-mil.cloud 23.160.56.100 mil-ee.cloud 45.141.58.60 defence-au.cloud 38.180.199.28 gov-aws.cloud 45.134.110.83 gov-fi.cloud 89.35.131.153 gov-gr.cloud 185.76.79.244 gov-lt.cloud 95.217.113.133 kam-lt.cloud 185.187.155.74 mae-ro.cloud 185.76.79.60 mfa-gov-tr.cloud 141.195.117.125 aws-ukraine.cloud 84.32.188.193 gov-ua.cloud 38.180.146.210 govtr.cloud 185.76.79.118 govua.cloud 2.58.201.112 mfa-gov.cloud 185.76.79.178 s3-army.cloud 38.180.146.193 saiccloud.us 142.91.38.80 ukrtelecom.cloud 84.32.188.197 us-army.cloud 166.0.187.231 us-mil.cloud 89.46.234.115 awsplatform.online 179.43.148.82 go-jp.cloud 178.239.171.41 ua-gov.cloud 45.80.193.9 gv-at.cloud 179.43.180.74 s3-be.cloud 45.67.85.40 ukrainesec.cloud 5.133.9.252 amazonsolutions.cloud 81.17.31.106 defense-gouv.cloud 38.180.90.36 europa-eu.cloud 172.86.70.64 gouv-fr.cloud 185.76.79.130 mapn-ro.cloud 166.0.187.242 mde-es.cloud 151.236.16.149 mil-be.cloud 84.32.188.153 mvep-hr.cloud 185.187.155.81 s3-dk.cloud 166.0.187.235 ua-sec.cloud 45.134.111.123 dep-no.cloud 212.1.213.198 difesa-it.cloud 151.236.16.220 gov-pl.cloud 23.160.56.122 morh-hr.cloud 166.0.187.243 msz-pl.cloud 62.72.7.213 quirinale.cloud 151.236.16.226 mil-pl.cloud 93.188.163.16 mzv-cz.cloud 2.58.203.61 s3-nato.cloud 95.156.207.121 gov-sk.cloud 185.216.72.196 mzv-sk.cloud 185.76.79.62 regeringskansliet-se.cloud 162.252.172.167 s3-de.cloud 166.0.187.233 ua-energy.cloud 84.32.188.148 zixcorp.cloud 158.255.213.49 bund-de.cloud 38.180.146.230 mindef-nl.cloud 80.87.206.241 presidencia-pt.cloud 158.255.213.227 symbolsecurity.cloud 38.180.230.79 trustifi.cloud 37.1.196.172 s3-ua.cloud 84.32.188.200 skykick.solutions 109.205.214.50 softcat.cloud 190.211.254.32 swcloud.us 109.205.214.45 veeam.solutions 146.71.81.13 shicloud.online 185.187.155.33 s3-stig.cloud 104.225.129.128 parseccomputer.cloud 109.205.214.52 rrt.solutions 188.214.33.222 rubrik.zone 93.188.164.74 s3-proofpoint.cloud 45.11.230.111 polycom.solutions 23.160.56.105 pulsesecure.cloud 45.11.230.155 s3-esa.cloud 45.11.231.9 s3-rackspace.cloud 23.227.194.189 servicenowinc.us 166.0.187.236 aeinc.solutions 82.180.139.47 capgemini.services 23.160.56.110 mod-cloud.uk 45.11.230.60 nrcc.cloud 38.180.83.120 s3-dnc.cloud 151.236.16.128 s3-knowbe4.cloud 158.255.213.185 s3-pt.cloud 45.11.231.8 sipacolumbia.us 23.108.190.249 brookings.cloud 185.76.79.140 citoc.cloud 178.162.203.91 clari.cloud 104.36.229.110 justice.technology 166.0.187.241 s3-aws.global 45.41.187.233 s3-blackberry.cloud 23.160.56.115 4freerussia.cloud 162.252.172.223 democracyendowment.cloud 149.154.158.205 gmfus.cloud 38.180.146.30 mimecast.cloud 151.236.16.236 stratfor.cloud 194.37.97.189 barracuda.solutions 151.236.16.98 caci.solutions 151.236.16.138 druva.cloud 166.0.187.245 exclaimer.solutions 158.255.213.154 mil-pt.cloud 162.252.175.233 oktacloud.us 172.96.137.125 s3-atlassian.cloud 212.1.213.200 s3-monitoring.cloud 38.180.81.168 s3-us.navy 185.187.155.72 s3-zoho.cloud 185.76.79.233 usaid.cloud 38.180.146.216 wrapsnet.cloud 193.200.17.162 zoommeeting.zone 2.58.200.78 albrightstonebridge.cloud 38.180.146.28 backupify.cloud 151.236.16.24 cer.zone 151.236.16.193 crisisgroup.services 151.236.16.22 forces-gc.cloud 45.67.84.14 heritagecloud.org 162.252.172.158 s3-acronis.cloud 151.236.16.38 s3-bah.cloud 198.50.106.140 s3-cloud.us 166.0.187.183 s3-fbi.cloud 2.58.201.27 s3-rand.cloud 23.160.56.90 s3-ucia.cloud 149.154.158.250 zero-trust.solutions 13.49.21.253 amazonmeeting.cloud 45.134.111.126 aspeninstitute.cloud 151.236.22.36 c-r.services 38.180.88.106 ceip.cloud 185.76.79.190 cepa.solutions 38.180.146.32 cnas.zone 185.187.155.79 eopgov.cloud 162.252.172.155 freedomhouse.cloud 149.154.158.85 gc-cloud.ca 89.46.234.152 googlemeet.zone 166.0.187.199 macfound.services 185.76.79.167 microsoft-meeting.cloud 192.36.27.226 prio.zone 185.187.155.78 admin-ch.cloud 45.11.230.144 americanprogress.cloud 23.160.56.123 csbaonline.cloud 185.76.79.86 s3-csis.cloud 38.180.5.60 s3-dgap.cloud 176.97.70.55 s3-ida.cloud 166.0.187.252 s3-iri.cloud 185.76.79.229 s3-state.cloud 185.76.79.59 ua-aws.army 38.180.110.238 usip.us 45.134.110.78 asucloud.us 185.172.39.52 clearancejobs.cloud 198.50.106.141 cwinc.cloud 149.154.158.63 europeanvalues.cloud 185.216.72.192 google-meet.cloud 185.172.39.50 microsoftmeeting.cloud 2.58.200.79 s3-hudson.cloud 158.255.213.168 s3-marcus.cloud 45.141.58.59 s3-ned.cloud 38.180.83.103 s3-spacex.cloud 89.46.234.93 statecloud.us 151.236.16.102 foreignpolicy.cloud 158.255.213.192 mfa-gov-il.cloud 179.43.163.18 mod-gov-il.cloud 46.19.141.186 ms-meetings.online 185.216.72.182 ncfta.cloud 192.121.23.126 ncsc.solutions 166.0.187.237 ndu.solutions 209.182.225.10 opensocietyfoundations.cloud 23.160.56.95 s3-aws.cloud 38.180.137.213 s3.army 151.236.16.245 wilsoncenter.cloud 2.58.200.80 zoommeeting.today 38.180.146.178 ecfr.cloud 38.180.91.2 go-meet-up.com 162.252.172.59 zoom-meeting.live 185.187.155.71 aws-meet.cloud 193.29.59.9 awsmeet.cloud 151.236.15.134 go-conference.cloud 149.28.9.18 go-meeting.online 45.134.110.82 zoom-meeting.pro 38.180.136.93 gov-lv.cloud 135.181.130.232 aws-il.cloud 185.216.72.185 awsmeetings.online 2.58.14.80 cfr-aws.cloud 151.236.16.213 go-meeting.cloud 45.134.110.55 ms-conference.cloud 104.238.57.40 ms-meeting.online 162.252.172.109 zoom-meeting.cloud 151.236.22.149 zoom-meeting.today 192.36.57.107 zoom-meetings.cloud 166.0.187.240 go-meet.pro 45.137.213.17 ms-meeting.com 185.76.79.53 msconferences.cloud 185.76.79.16 aws-data.cloud 151.236.16.101 aws-meetings.cloud 104.238.60.216 aws-join.cloud 151.236.14.116 gov-trust.cloud 185.172.39.51 s3-nsa.cloud 149.154.158.133 ssi-gouv-fr.cloud 38.180.146.29 aws-online.cloud 185.187.155.73 minbuza.cloud 46.249.38.131 ============================================================================================================================================================= [Rogue RDP configuration files] ============================================================================================================================================================= [SHA256] [Filename] [Target country] 50bed47064e4ecd01c4a9271e63af7cfdf52ea4096f205470e41eef7eb01c1e1 AWS Secure Data Exchange - Compliance Check.rdp CZ 648afcc709ac18c4fe235d24bf51a8230e9700b97c3dcc0a739816966f2b58b6 AWS Secure Data Exchange - Compliance Check.rdp SE 280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0 AWS IAM Configuration.rdp UA f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8 AWS IAM Compliance Check.rdp UA ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46 Zero Trust Security Environment Compliance Check.rdp TR 8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5 Zero Trust Security Environment Compliance Check.rdp EE 36e45fdeba3fdb3708fb1c2602c30cb5b66fbc5ea790f0716390d9f69c363542 AWS Secure Data Exchange Compliance.rdp BE 2fb1d01f9859c676ef37b060c5e8db0a12472c96260114a6edee45d8546184c9 IAM Identity Center Application Access.rdp UA a246253fab152deac89b895a7c1bca76498b4aa044c907559c15109c1187a448 Zero Trust Architecture Configuration.rdp EE 1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881 AWS IAM Compliance Check.rdp UA f32fa0e3902a1f287280e2e6ddcbfe4fc0a47f1fa5ddb5e04a7651c51343621e Device Security Requirements Check.rdp UK ============================================================================================================================================================= [Subject lines in the spear-phishing e-mails] ============================================================================================================================================================= AWS IAM Expansion Notification AWS IAM Identity Center Launch AWS Infrastructure Deployment AWS SDE - Secure Data Exchange AWS SDE Launch Notification AWS SDE: The Next Gen Platform for Secure Exchange Amazon & [REDACTED COUNTRY TLD] MoD Amazon's Next Step in Internet Data Exchange (ZTS) Cloud Infrastructure Extension Plan Update Compliance Check Required for New ZTS Platform Cyber Security Partnership Notification DMARC ViolationCompliance Check Required for New Platform DMARC ViolationIAM Identity Center: Unified Access DMARC ViolationMicrosoft & Amazon Security Partnership Data Protection Enhanced with Zero Trust Architecture IAM Identity Center Update IAM Identity Center: Unified Access Microsoft & Amazon Cloud Extension Update Microsoft & Amazon Security Partnership New AWS Platform Features New Platform – AWS Secure Data Exchange New Zero Trust Model Implementation on AWS Next Gen Secure Platform Launch Secure Data Exchange Update Secure and Compliant Access to All Resources Ahead Transparent Data Access via AWS Secure Data Exchange UA support ZTS Compliance Check Required ZTS Future of Data Exchange Ahead ZTS Implementation by Amazon & Microsoft Zero Trust Model Implementation Zero Trust Solution Testing in Progress