A hacktivist group known as Twelve has been conducting destructive cyber attacks against Russian targets, utilizing publicly available tools to encrypt and destroy data without seeking ransom. This approach aims to inflict maximum damage on organizations involved in the ongoing conflict.
Key Takeaways
Hacktivist Group Twelve formed in April 2023 amid the Russo-Ukrainian war.
The group employs a strategy of data encryption followed by infrastructure destruction.
Twelve shares similarities with the ransomware group DARKSTAR, indicating a complex cyber threat landscape.
Background of Hacktivist Group Twelve
Hacktivist Group Twelve emerged in response to the Russo-Ukrainian war, targeting Russian entities with a clear agenda to disrupt operations rather than seeking financial gain. Their tactics include not only destructive attacks but also hack-and-leak operations, where sensitive information is exfiltrated and shared publicly.
Attack Methodology
The group employs a variety of techniques to infiltrate networks:
Initial Access: Gaining entry through valid local or domain accounts.
Lateral Movement: Utilizing Remote Desktop Protocol (RDP) to navigate through networks.
Exploitation of Contractors: Accessing contractor infrastructure to connect to customer systems.
Tools and Techniques Used
Twelve utilizes a range of tools for their operations, including:
Cobalt Strike: For post-exploitation and lateral movement.
Mimikatz: For credential theft.
BloodHound: For network mapping.
PHP Web Shells: To execute commands and manipulate files.
In one notable incident, the group exploited vulnerabilities in VMware vCenter to deploy a backdoor known as FaceFish, showcasing their ability to adapt and exploit known security flaws.
Characteristics of the Attacks
The attacks are marked by several distinctive features:
Data Encryption: Using a version of LockBit 3.0 ransomware to encrypt data.
Wiper Payloads: Employing malware similar to Shamoon to overwrite data and prevent recovery.
Process Termination: Utilizing PowerShell scripts to disable security software before launching attacks.
Implications of the Attacks
The actions of Hacktivist Group Twelve highlight the evolving nature of cyber warfare, where hacktivism intersects with traditional cybercrime. Their focus on causing disruption rather than financial gain reflects a broader trend in the cyber threat landscape, where motivations are increasingly tied to geopolitical events.
As the conflict continues, the activities of groups like Twelve underscore the importance of robust cybersecurity measures. Organizations must remain vigilant against such threats, employing advanced detection and prevention strategies to mitigate the risks posed by these destructive cyber attacks.
As cyber threats grow more sophisticated, businesses must stay informed and protected. BetterWorld Technology’s cybersecurity experts provide the latest solutions to keep your data safe, whether it’s through proactive monitoring, threat detection, or incident response. Stay ahead of emerging threats by partnering with us for cutting-edge cybersecurity tailored to your unique needs. Book a consultation with us now and let BetterWorld Technology help you build a robust defense against the ever-evolving cyber landscape.
Sources
Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks, The Hacker News.
Comentários