Hacktivist Group Twelve Is Back and Targets Russian Entities with Cyber Attacks

• Hacktivist group Twelve reemerged several months after its Telegram channel was blocked for violating terms of service.
• The threat actor appeared in April 2023 in the context of the Russian-Ukrainian conflict.
• Security experts believe a late June 2024 attack was orchestrated by the gang, which is expected to return any moment.

A hacktivist collective known as Twelve has emerged as a formidable threat, targeting Russian entities with a series of cyber attacks. Twelve employs a variety of publicly available tools—not with the aim of financial gain but to inflict maximum damage on its targets, according to an analysis by cybersecurity firm Kaspersky.

Unlike traditional ransomware groups that demand payment for data decryption, Twelve encrypts victim data and then launches a destructive wiper attack to obliterate the victim's infrastructure. 

This method underscores their intent to cripple target organizations without deriving any direct financial benefit. The group, reportedly formed in April 2023 amid the Russo-Ukrainian conflict, is recognized for cyber attacks that paralyze operations and disable networks.

Adding another layer to its operations, Twelve conducts hack-and-leak campaigns by exfiltrating sensitive information and sharing it on its Telegram channel. 

Kaspersky's findings suggest infrastructure and tactical overlaps between Twelve and the ransomware group DARKSTAR (also known as COMET or Shadow), indicating a possible connection or collaboration within the activity cluster. 

While Twelve's actions reflect hacktivist motives, DARKSTAR adheres to typical double extortion tactics, highlighting the complexity of modern cyber threats.

Twelve's attack chains typically begin by exploiting legitimate local or domain accounts to gain initial access. Then, they utilize the Remote Desktop Protocol (RDP) to facilitate lateral movement within the target's network. 

In some cases, these attacks are routed through the victim's contractors. The adversary gains access to contractor infrastructure and uses compromised certificates to infiltrate the customer's VPN and systems via RDP.

Twelve employs a range of tools for credential theft, network mapping, and privilege escalation, including Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, and PsExec. Malicious RDP connections are tunneled through ngrok, and PHP web shells like WSO are deployed to execute commands, move files, or send emails.

In one case examined by Kaspersky, Twelve leveraged vulnerabilities such as CVE-2021-21972 and CVE-2021-22005 in VMware vCenter to deploy a web shell, which facilitated the delivery of a backdoor known as FaceFish. To secure persistence in the domain infrastructure, the group utilized PowerShell scripts to add domain users and modify Access Control Lists (ACLs) for Active Directory objects.

To evade detection, Twelve disguises malware as legitimate software, using names like "Update Microsoft," "Yandex," and "intel.exe." Additionally, a PowerShell script dubbed "Sophos_kill_local.ps1" is employed to disable Sophos security software on compromised hosts.

In the final stages of their attacks, Twelve uses the Windows Task Scheduler to deploy ransomware and wiper payloads. Before doing so, they gather and exfiltrate sensitive data via DropMeFiles, storing it in ZIP archives. 

The attackers employ LockBit 3.0 ransomware compiled from open-source code to encrypt data, terminating processes that could hinder file encryption.

For destruction, a wiper akin to the infamous Shamoon malware rewrites the master boot record (MBR) and overwrites file contents with random bytes, rendering system recovery impossible. By leveraging familiar and publicly available malware tools, Twelve's activities can be detected and thwarted with timely and effective cybersecurity measures.