Hacktivist group Twelve has resurfaced with a focused campaign targeting Russian entities. The group has been active since at least April 2023. It aims to disrupt operations and destroy critical assets.
It was formed in response to the conflict between Russia and Ukraine. The group’s operations focus on destroying critical infrastructure and disrupting business activities. They also steal sensitive data.
Twelve was inactive for several months after their Telegram channel -=TWELVE=- was shut down in the spring of 2024. However, Kaspersky observed an attack in June 2024 using techniques and servers identical to the group’s previous operations. This suggests that Twelve remains active despite the temporary disappearance.
Interestingly, Twelve’s infrastructure and techniques are similar to those of the ransomware group formerly known as Shadow or COMET. This similarity suggests a possible connection between the two groups. However, Twelve’s motivations are rooted in hacktivism rather than financial gain.
The group encrypts victims’ data without demanding a ransom. They then destroy the compromised infrastructure.
Hacktivist Twelve targets Russian infrastructure
Twelve employs a range of publicly available tools and malware, making its attacks detectable and preventable. Its toolkit includes credential theft, network discovery, and privilege escalation tools such as Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec.
The group often gains initial access by abusing legitimate local or domain accounts and VPN or SSH certificates. They then rely on Remote Desktop Protocol (RDP) for lateral movement. In some cases, Twelve compromises a victim’s contractors to use their certificates to access the victim’s VPN.
They deploy web shells to compromised servers to execute arbitrary commands, conduct lateral movements, exfiltrate data, and create and send emails. One notable attack involved the FaceFish backdoor. Attackers exploited VMware vCenter server flaws to deploy a web shell to load their implant.
Twelve maintains persistence by using PowerShell to add domain users and groups and modify Access Control Lists (ACLs) for Active Directory objects. A report from Kaspersky noted that “Twelve is mainly driven by hacktivism rather than financial gain. ”
“This is evident in their modus operandi: rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery. This approach indicates a desire to cause maximum damage to targeted organizations without deriving direct financial benefit.”
