From initial compromise to ransomware and wipers
Sept. 23, 2024, 4:09 p.m.
Tags
External References
Description
The Twelve group, formed in April 2023 amid the Russian-Ukrainian conflict, specializes in attacking Russian government organizations. Their attacks involve encrypting and deleting victims' data, causing maximum damage without seeking financial gain. The group uses publicly available tools like Cobalt Strike, mimikatz, and PowerShell scripts for initial access, lateral movement, and privilege escalation. They employ LockBit 3.0 ransomware and Shamoon-based wipers to destroy infrastructures. Twelve exfiltrates sensitive data and posts it on Telegram. The group shares infrastructure with DARKSTAR, suggesting a possible syndicate. Their primary objectives are to destroy critical assets, disrupt business, steal sensitive data, and discredit victims.
Date
Published: Sept. 23, 2024, 3:29 p.m.
Created: Sept. 23, 2024, 3:29 p.m.
Modified: Sept. 23, 2024, 4:09 p.m.
Indicators
a028fe94a83846666ec974858398dbdcfd6fdd29bd995619a1f2542f611d62d6
773f9b531c8d59a32aad6f7f50e4a22c6e5642d4e70eed0a12390caf66eb8403
4a4c8d32038388f6ca9475fb6db8024acd56a01721d53104c755f918fb31f221
92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50
5.8.16.238
5.8.16.170
5.8.16.236
5.8.16.149
5.8.16.147
217.148.143.196
195.2.79.195
193.110.79.47
109.205.56.229
91.90.121.220
89.33.8.198
89.238.132.68
79.137.69.34
212.109.217.88
5.8.16.169
5.8.16.148
Attack Patterns
FaceFish
Disttrack
Shamoon - S0140
LockBit 3.0
Chaos - S0220
Twelve
T1588.001
T1587.001
T1069
T1078.002
T1021.001
T1543.003
T1588.002
T1070.001
T1490
T1110
T1136
T1087
T1562.001
T1486
T1083
T1053
T1190
T1078
T1003
T1059
CVE-2021-22005
CVE-2021-21972
Additional Informations
Government
Russian Federation