A hacktivist group known as Twelve has been observed using publicly available tools to carry out destructive cyber attacks against Russian targets.
“Instead of asking for a ransom to decrypt data, Twelve chooses to encrypt victims’ data and then destroy their infrastructure with a wiper to make recovery impossible,” Kaspersky explained in an analysis released on Friday.
“The approach indicates a desire to cause maximum harm to target organizations without seeking direct financial gain.”
The group, formed in April 2023 during the Russo-Ukrainian war, has a history of launching cyber attacks aimed at disrupting victim networks and business operations.
It has also been engaged in hack-and-leak operations where sensitive information is stolen and shared on its Telegram channel.
Kaspersky mentioned that Twelve has similarities in infrastructure and tactics with a ransomware group called DARKSTAR (also known as COMET or Shadow), suggesting a connection between the two groups or their activities.
“While Twelve’s actions are driven by hacktivism, DARKSTAR follows the traditional double extortion model,” the Russian cybersecurity company stated. “This divergence in motives within the syndicate highlights the complexity and variety of contemporary cyber threats.”
The attack operations involve gaining initial access by exploiting legitimate local or domain accounts, followed by using the Remote Desktop Protocol (RDP) for lateral movement. Some attacks are carried out through the victim’s contractors.
“To achieve this, they compromised the contractor’s infrastructure and used its credentials to connect to the client’s VPN,” Kaspersky explained. “Once inside, the attacker can access the client’s systems via RDP and penetrate their infrastructure.”
Among the tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for activities like credential theft, reconnaissance, network mapping, and privilege escalation. Malicious RDP connections are tunneled through ngrok.
The group also deploys PHP web shells capable of executing commands, moving files, and sending emails. These tools, such as the programs and WSO web shell, are easily accessible on GitHub.
In a specific incident investigated by Kaspersky, the attackers exploited known security vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to implant a web shell that served as a gateway for a backdoor called FaceFish.
“To establish a presence in the domain’s infrastructure, the attackers used PowerShell to add domain users and groups, and modify ACLs (Access Control Lists) for Active Directory objects,” the report stated. “To evade detection, the attackers disguised their malware and campaigns under names of legitimate products or services.”
The attackers utilized names like “Update Microsoft,” “Yandex,” “YandexUpdate,” and “intel.exe” in their operations.
Furthermore, the attackers employed a PowerShell script (“Sophos_kill_local.ps1”) to terminate processes associated with Sophos security software on the compromised device.
The final stages involve deploying ransomware and wiper payloads using the Windows Task Scheduler after collecting and exfiltrating sensitive data about their victims through a file-sharing service called DropMeFiles in ZIP archives.
“A version of the widely used LockBit 3.0 ransomware, created from publicly available source code, was used by the attackers to encrypt the data,” according to Kaspersky researchers. “Before encryption, the ransomware terminates processes that might interfere with encrypting individual files.”
The wiper, similar to the Shamoon malware, overwrites connected drive’s master boot record (MBR) and all file contents with random bytes, rendering system recovery impossible.
“The group relies on existing and commonly known malware tools, indicating that they create none of their own,” Kaspersky pointed out. “This allows for the timely detection and prevention of Twelve’s attacks.”
