Published on: September 26, 2024
A hacktivist group known as “Twelve” has been launching highly destructive cyberattacks against Russian organizations, according to a recent analysis by Kaspersky. Unlike traditional ransomware groups, Twelve does not seek financial gain. Instead, it encrypts victims’ data and then destroys their infrastructure using a wiper, preventing any chance of recovery.
Twelve, believed to have formed in April 2023 amid the Russo-Ukrainian war, has been observed conducting attacks that aim to cripple networks and disrupt operations. The group also engages in hack-and-leak operations, exfiltrating sensitive information and sharing it on their Telegram channel.
Kaspersky noted similarities between Twelve and a ransomware group known as DARKSTAR, suggesting the two may be connected. However, while DARKSTAR uses a traditional extortion model, Twelve’s focus is on causing maximum damage.
The group gains access to systems by exploiting valid local or domain accounts, using tools like Cobalt Strike, Mimikatz, and PsExec for credential theft and lateral movement. In some cases, attacks are carried out through a victim’s contractors, using stolen certificates to access customer VPNs and systems via Remote Desktop Protocol (RDP).
Twelve also exploits known vulnerabilities, such as those in VMware vCenter, to deploy web shells and backdoors like FaceFish. The group’s attacks include disguising malware as legitimate programs from companies like Microsoft, Intel, and Yandex, helping them avoid detection.
Once inside a system, Twelve uses PowerShell scripts to disable security software and deploys ransomware, followed by a wiper that permanently destroys data by rewriting the master boot record (MBR).
Kaspersky warns that while Twelve uses publicly available tools, making detection possible, the group’s tactics and intent to inflict irreversible damage make it a significant cyber threat.