A hacktivist group known as Twelve has been using publicly available tools to carry out destructive cyber attacks against Russian targets. Instead of demanding a ransom for decrypting data, Twelve encrypts victims’ data and destroys their infrastructure to prevent recovery, according to a Friday analysis by Kaspersky. The group, formed in April 2023 during the Russo-Ukrainian war, has a history of launching cyber attacks to disrupt business operations and cripple victim networks. They also conduct hack-and-leak operations by exfiltrating sensitive information and sharing it on their Telegram channel.
Kaspersky noted that Twelve shares infrastructural and tactical similarities with a ransomware group called DARKSTAR (aka COMET or Shadow), suggesting a possible connection between the two groups. While Twelve’s actions are hacktivist in nature, DARKSTAR follows a classic double extortion pattern, showcasing the diversity of modern cyber threats.
Twelve’s attack chains typically start by gaining initial access through valid local or domain accounts, followed by using Remote Desktop Protocol (RDP) for lateral movement. Some attacks are carried out through the victim’s contractors, where the group gains access to the contractor’s infrastructure and uses their certificate to connect to the victim’s VPN, allowing them to penetrate the victim’s systems.
Twelve utilizes various tools such as Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, network mapping, and privilege escalation. They also deploy PHP web shells like the WSO web shell from GitHub to execute commands and move files.
In a specific incident, Twelve exploited known vulnerabilities in VMware vCenter to deliver a web shell and drop a backdoor named FaceFish. They used PowerShell to add domain users and groups and modify ACLs for Active Directory objects to gain a foothold in the domain infrastructure.
The group also terminates processes related to Sophos security software on compromised hosts using a PowerShell script named “Sophos_kill_local.ps1.” They use the Windows Task Scheduler to launch ransomware and wiper payloads, gathering and exfiltrating sensitive information before encrypting data with LockBit 3.0 ransomware and wiping the system with a Shamoon-like wiper.
Twelve’s reliance on publicly available malware tools allows for timely detection and prevention of their attacks. To read more exclusive content, follow us on Twitter and LinkedIn.