An activist group named Twelve has been detected using a variety of publicly accessible utilities to carry out devastating online assaults against Russian targets.
Kaspersky stated in an analysis on Friday that Twelve, instead of asking for money to decrypt data, chooses to encrypt the data of victims and then obliterate their systems using a wiper to hinder recovery.
“Their strategy reveals a desire to inflict maximum harm on target organizations without seeking direct monetary gains.”
The hacker group, suspected to have been established in April 2023 after the start of the Russo-Ukrainian conflict, has a history of launching online attacks designed to disable victim networks and disrupt business activities.
They have also been observed conducting operations that involve extracting sensitive data, which is subsequently shared on their Telegram channel.
Kaspersky mentioned that Twelve exhibits similarities in infrastructure and tactics with a ransomware group known as DARKSTAR (also identified as COMET or Shadow), suggesting a potential link between the two groups or their involvement in the same set of activities.
“While Twelve mainly engages in activist cyber activities, DARKSTAR follows the traditional double extortion model,” the Russian cybersecurity company declared. “This divergence in goals within the syndicate underscores the complexity and variety of present-day cyberthreats.”
The attack process typically begins with obtaining initial access by exploiting valid local or domain accounts, followed by using the Remote Desktop Protocol (RDP) to enable lateral movement. Some of these attacks are executed through the victim’s contractors.
“To do this, they gained access to the contractor’s infrastructure and then utilized its certificate to connect to its customer’s VPN,” Kaspersky explained. “By gaining entry through this method, the adversary can connect to the customer’s systems using the Remote Desktop Protocol (RDP) and infiltrate the customer’s infrastructure.”
Among the primary tools utilized by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for stealing credentials, discovery, network mapping, and boosting privileges. The malicious RDP connections to the system are routed through ngrok.
Additionally, they employ PHP web shells with functionalities to execute commands, move files, or dispatch emails. These utilities, like the WSO web shell, are readily accessible on GitHub.
In a particular incident examined by Kaspersky, it was reported that the threat actors exploited known vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to deploy a web shell that facilitated the introduction of a backdoor named FaceFish.
“To establish a foothold in the domain infrastructure, the attacker utilized PowerShell to add domain users and groups, and alter ACLs (Access Control Lists) for Active Directory objects,” the report mentioned. “To prevent detection, the attackers concealed their malicious software and activities under the guise of legitimate products or services.”
Some of the aliases used include “Update Microsoft,” “Yandex,” “YandexUpdate,” and “intel.exe.”
Moreover, the assaults feature the use of PowerShell script (“Sophos_kill_local.ps1”) to terminate processes related to Sophos security software on the compromised system.
The final phases involve utilizing the Windows Task Scheduler to initiate ransomware and wiper payloads, preceded by gathering and leaking sensitive data about victims using a file-sharing platform named DropMeFiles in the form of ZIP archives.
“The attackers employed a version of the widely known LockBit 3.0 ransomware, compiled from freely available source code, to encrypt the data,” as per Kaspersky researchers. “Before commencing operations, the ransomware terminates processes that might obstruct the encryption of individual files.”
The wiper, that closely resembles the Shamoon malware, overwrites the master boot record (MBR) on connected drives and replaces all file data with randomly generated bytes, effectively preventing system restoration.
“The group relies on a publicly available and widely known collection of malware tools, suggesting they do not create any tools of their own,” stated Kaspersky. “This makes it feasible to identify and thwart Twelve’s attacks in a timely manner.”
About Author
