Twelve Hacktivist Group Resurfaces, Targets Russian Entities

September 23, 2024

The hacktivist group Twelve, known for its activities since April 2023, has resurfaced, primarily targeting Russian entities. The group emerged during the Russia-Ukraine conflict and is notorious for its destructive attacks, including the disruption of businesses, theft of sensitive data, and destruction of crucial assets. The group had disappeared for several months after its Telegram channel -=TWELVE=- was blocked for violating Telegram’s terms, but an attack observed by Kaspersky in June 2024 suggested that Twelve was still active.

The group's tactics, techniques, and procedures (TTPs) are identical to those of the DARKSTAR ransomware group, formerly known as Shadow or COMET. This similarity hints at a potential connection between the two groups. However, Twelve's primary motivation is hacktivism, not financial gain. The group encrypts victims' data without demanding a ransom, subsequently deploying a wiper to destroy their infrastructure.

Twelve utilizes a variety of publicly available tools and malware, including Cobalt Strike, mimikatz, chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec. The group gains initial access by exploiting valid local or domain accounts, VPN, or SSH certificates. After gaining access, they use the Remote Desktop Protocol (RDP) for lateral movement.

The group also targets the victim's infrastructure by compromising some of its contractors. After compromising a contractor's infrastructure, they use its certificate to connect to the customer's VPN. Twelve deploys web shells to compromised web servers to execute arbitrary commands, enable lateral movements, exfiltrate data, and create and send emails.

In one attack investigated by Kaspersky, the group used the FaceFish backdoor and exploited VMware vCenter server flaws CVE-2021-21972 and CVE-2021-22005 to deploy their webshell. To maintain persistence, Twelve uses PowerShell to add domain users and groups and modify Access Control Lists (ACLs) for Active Directory objects.

The report concludes, “Twelve is mainly driven by hacktivism rather than financial gain. This shows in their modus operandi: rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery. The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit.”

Latest News

• China's 'Earth Baxia' Cyber Espionage Group Targets APAC via GeoServer Exploitation
• Iranian APT UNC1860, Linked to MOIS, Plays Key Role in Cyber Intrusions in Middle East
• Ivanti Cloud Services Appliance Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog
• Critical CSA Vulnerability Exploited in Attacks: Ivanti Issues Warning
• GitLab Issues Security Updates for Critical SAML Authentication Bypass Vulnerability