September 21, 2024 at 11:37AM
The hacktivist group Twelve has been observed conducting destructive cyber attacks against Russian targets. They encrypt victims’ data and destroy infrastructure, causing maximum damage without financial gain. The group, linked to the Russo-Ukrainian war, utilizes various tools and tactics, sharing similarities with the ransomware group DARKSTAR. Their attacks involve exploiting vulnerabilities and deploying ransomware and wiper payloads.
Based on the meeting notes, it is clear that a hacktivist group known as Twelve has been observed conducting destructive cyber attacks against Russian targets. They prefer encrypting victims’ data and destroying their infrastructure with a wiper to prevent recovery, indicating a desire to cause maximum damage without direct financial benefit. The group has been active since April 2023 and has a track record of mounting cyber attacks aiming to cripple victim networks and disrupt business operations. Additionally, they conduct hack-and-leak operations, sharing exfiltrated sensitive information on their Telegram channel.
Twelve shares similarities with a ransomware group called DARKSTAR, but their objectives differ, with Twelve’s actions being hacktivist in nature while DARKSTAR follows the classic double extortion pattern. The attack chains involve gaining initial access, lateral movement facilitated by Remote Desktop Protocol (RDP), and exploitation of valid local or domain accounts. They also deploy various tools for credential theft, discovery, network mapping, and privilege escalation, along with PHP web shells and exploiting known security vulnerabilities to drop backdoors. The attacks also involve terminating security software processes, launching ransomware and wiper payloads, gathering and exfiltrating sensitive information, and effectively preventing system recovery.
It is worth noting that Twelve utilizes publicly available and familiar malware tools, making it possible to detect and prevent their attacks in due time.