From initial compromise to ransomware and wipers
Sept. 23, 2024, 4:09 p.m.
Description
The Twelve group, formed in April 2023 amid the Russian-Ukrainian conflict, specializes in attacking Russian government organizations. Their attacks involve encrypting and deleting victims' data, causing maximum damage without seeking financial gain. The group uses publicly available tools like Cobalt Strike, mimikatz, and PowerShell scripts for initial access, lateral movement, and privilege escalation. They employ LockBit 3.0 ransomware and Shamoon-based wipers to destroy infrastructures. Twelve exfiltrates sensitive data and posts it on Telegram. The group shares infrastructure with DARKSTAR, suggesting a possible syndicate. Their primary objectives are to destroy critical assets, disrupt business, steal sensitive data, and discredit victims.
Tags
Date
- Created: Sept. 23, 2024, 3:29 p.m.
- Published: Sept. 23, 2024, 3:29 p.m.
- Modified: Sept. 23, 2024, 4:09 p.m.
Indicators
- a028fe94a83846666ec974858398dbdcfd6fdd29bd995619a1f2542f611d62d6
- 773f9b531c8d59a32aad6f7f50e4a22c6e5642d4e70eed0a12390caf66eb8403
- 4a4c8d32038388f6ca9475fb6db8024acd56a01721d53104c755f918fb31f221
- 92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50
- 5.8.16.238
- 5.8.16.170
- 5.8.16.236
- 5.8.16.149
- 5.8.16.147
- 217.148.143.196
- 195.2.79.195
- 193.110.79.47
- 109.205.56.229
- 91.90.121.220
- 89.33.8.198
- 89.238.132.68
- 79.137.69.34
- 212.109.217.88
- 5.8.16.169
- 5.8.16.148
Attack Patterns
- FaceFish
- Disttrack
- Shamoon - S0140
- LockBit 3.0
- Chaos - S0220
- Twelve
- T1588.001
- T1587.001
- T1069
- T1078.002
- T1021.001
- T1543.003
- T1588.002
- T1070.001
- T1490
- T1110
- T1136
- T1087
- T1562.001
- T1486
- T1083
- T1053
- T1190
- T1078
- T1003
- T1059
- CVE-2021-22005
- CVE-2021-21972
Additional Informations
- Government
- Russian Federation