Head Mare and Twelve: Joint attacks on Russian entities

March 13, 2025, 7:27 p.m.

Description

Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contractors. They used various tools for reconnaissance, privilege escalation, lateral movement, and data exfiltration. The final goal was file encryption using LockBit 3.0 and Babuk ransomware. Overlaps in infrastructure, tactics, and tools suggest collaboration between the two groups. The attacks primarily targeted manufacturing, government, and energy sectors in Russia.

External References

https://securelist.com/head-mare-twelve-collaboration/115887/
https://otx.alienvault.com/pulse/67d2f2839a4838011419a38a
Tags
ransomware
lockbit
hacktivism
CVE-2021-26855
CVE-2023-38831
babuk
lockbit 3.0
cobint
infrastructure sharing
2025-03-13
phantomjitter

Date

  • Created: March 13, 2025, 2:58 p.m.
  • Published: March 13, 2025, 2:58 p.m.
  • Modified: March 13, 2025, 7:27 p.m.

Attack Patterns

  • PhantomJitter
  • CobInt
  • LockBit 3.0
  • Vasa Locker
  • Babyk
  • Babuk - S0638
  • Head Mare and Twelve
  • T1021.002
  • T1069
  • T1021.001
  • T1135
  • T1018
  • T1012
  • T1087
  • T1199
  • T1021
  • T1016
  • T1070
  • T1082
  • T1057
  • T1105
  • T1083
  • T1543
  • T1569
  • T1033
  • T1049
  • T1027
  • T1553
  • T1112
  • T1078
  • T1003
  • T1059

Additional Informations

  • Energy
  • Government
  • Manufacturing
  • Russian Federation