Cybersecurity experts at Kaspersky Lab have recently uncovered evidence that the notorious hacking group known as Twelve has resumed its malicious activities targeting Russian state-owned companies. This revelation comes after several months of apparent inactivity, signaling a potential escalation in cyber threats against Russian organizations.
Background and Recent Activities
The Twelve group first emerged in April 2023, gaining notoriety for its attacks on Russian entities and the publication of personal data on its Telegram channel. However, the group’s public presence diminished in early 2024 when their channel was blocked for violating platform rules. Despite this setback, Kaspersky Lab researchers have identified new attacks bearing the hallmarks of Twelve’s tactics, suggesting the group’s continued operation.
Tactics and Techniques
Twelve’s primary objective appears to be inflicting maximum damage on target organizations through data encryption and destruction. This approach severely hampers victims’ ability to recover their information systems. The group’s methods include:
- Scanning Russian IP ranges to identify potential entry points
- Targeting VPN servers and internet-accessible applications
- Utilizing freely available tools and web shells
- Exploiting valid local or domain accounts, VPN or SSH certificates
- Leveraging Remote Desktop Protocol (RDP) for lateral movement
Notably, Twelve often infiltrates target infrastructures through third-party contractors, accessing their systems and using their VPN certificates to breach the primary target.
Connection to DARKSTAR
Researchers have identified similarities between Twelve and another ransomware group called DARKSTAR (formerly known as Shadow and Comet). Both groups share common infrastructure, utilities, and Tactics, Techniques, and Procedures (TTPs), suggesting they may belong to the same syndicate or activity cluster. However, while Twelve’s actions typically align with hacktivism, DARKSTAR follows a more traditional double extortion ransomware model.
Defensive Measures and Implications
The absence of proprietary tools in Twelve’s arsenal presents an opportunity for organizations to detect and prevent attacks before significant damage occurs. Cybersecurity experts recommend implementing robust monitoring systems, regularly updating security protocols, and maintaining strict access controls, especially for third-party contractors.
As Twelve resurfaces and continues to pose a threat to Russian state companies, organizations must remain vigilant and proactive in their cybersecurity efforts. The group’s persistence and evolving tactics underscore the need for constant adaptation in the face of emerging cyber threats. By staying informed about the latest attack vectors and implementing comprehensive security measures, businesses can better protect themselves against groups like Twelve and mitigate potential damages from future cyberattacks.