Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

pA hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targetsppRather than demand a ransom for decrypting data Twelve prefers to encrypt victims data and then destroy their infrastructure with a wiper to prevent recovery Kaspersky said in a Friday analysisppThe approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefitppThe hacking group believed to have been formed in April 2023 following the onset of the RussoUkrainian war has a track record of mounting cyber attacks that aim to cripple victim networks and disrupt business operationsppIt has also been observed conducting hackandleak operations that exfiltrate sensitive information which is then shared on its Telegram channelppKaspersky said Twelve shares infrastructural and tactical overlaps with a ransomware group called DARKSTAR aka COMET or Shadow raising the possibility that the two intrusion sets are likely related to one another or part of the same activity clusterppAt the same time whereas Twelves actions are clearly hacktivist in nature DARKSTAR sticks to the classic double extortion pattern the Russian cybersecurity vendor said This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreatsppThe attack chains start with gaining initial access by abusing valid local or domain accounts after which the Remote Desktop Protocol RDP is used to facilitate lateral movement Some of these attacks are also carried out via the victims contractorsppTo do this they gained access to the contractors infrastructure and then used its certificate to connect to its customers VPN Kaspersky noted Having obtained access to that the adversary can connect to the customers systems via the Remote Desktop Protocol RDP and then penetrate the customers infrastructureppProminent among the other tools used by Twelve are Cobalt Strike Mimikatz Chisel BloodHound PowerView adPEAS CrackMapExec Advanced IP Scanner and PsExec for credential theft discovery network mapping and privilege escalation The malicious RDP connections to the system are tunneled through ngrokppAlso deployed are PHP web shells with capabilities to execute arbitrary commands move files or send emails These programs such as the WSO web shell are readily available on GitHubppIn one incident investigated by Kaspersky the threat actors are said to have exploited known security vulnerabilities eg CVE202121972 and CVE202122005 in VMware vCenter to deliver a web shell that then was used to drop a backdoor dubbed FaceFishppTo gain a foothold in the domain infrastructure the adversary used PowerShell to add domain users and groups and to modify ACLs Access Control Lists for Active Directory objects it said To avoid detection the attackers disguised their malware and tasks under the names of existing products or servicesppSome of the names used include Update Microsoft Yandex YandexUpdate and intelexe indicating an attempt to evade detection by masquerading as programs from Intel Microsoft and YandexppThe attacks are also characterized by the use of a PowerShell script Sophoskilllocalps1 to terminate processes related to Sophos security software on the compromised hostppThe concluding stages entail using the Windows Task Scheduler to launch ransomware and wiper payloads but not before gathering and exfiltrating sensitive information about their victims via a filesharing service called DropMeFiles in the form of ZIP archivesppThe attackers used a version of the popular LockBit 30 ransomware compiled from publicly available source code to encrypt the data Kaspersky researchers said Before starting work the ransomware terminates processes that may interfere with the encryption of individual filesppThe wiper identical to the Shamoon malware rewrites the master boot record MBR on connected drives and overwrites all file contents with randomly generated bytes effectively preventing system recoveryppThe group sticks to a publicly available and familiar arsenal of malware tools which suggests it makes none of its own Kaspersky noted This makes it possible to detect and prevent Twelves attacks in due timeppKaspersky in a followup analysis published on September 25 2024 said it identified overlaps between Twelve and another hacktivist group called BlackJack which took responsibility for targeting Moscollector using Fuxnet a wiper malware described as Stuxnet on steroidsppBlackJack and Twelve groups have similar targets and use similar malware distributing and executing it using the same methods the Russian company said pointing out BlackJacks use of Shamoon and LockBit in its attacksppAt the same time they are not interested in financial gain but aim to inflict maximum damage on target organizations by encrypting deleting and stealing data and resourcesppWhile Kaspersky said its completely not sure if both these activity clusters are backed by the same actors the company theorized they are likely part of a unified cluster of hacktivist activity targeting government telecommunications and industrial companies in RussiappThe story was updated after publication to include Twelves tactical overlaps with BlackJackppProtect your organization from AI risks with expert insights on security and innovation in app developmentppDiscover effective PAS strategies to secure privileged accounts reduce attack surfaces and outpace cyber threatsppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep