From initial compromise to ransomware and wipers
Essential information
- Published
- 23/09/2024 15:29
- Modified
- 23/09/2024 16:09
- Tags
- 2024-09-23 chaos cobalt strike facefish lockbit 3.0 shamoon
- Related entities
- 2 vulnerabilities (cve), 20 observables, 1 intrusion sets (apt), 20 techniques (mitre), 5 malware, 2 others
Description
The Twelve group, formed in April 2023 amid the Russian-Ukrainian conflict, specializes in attacking Russian government organizations. Their attacks involve encrypting and deleting victims' data, causing maximum damage without seeking financial gain. The group uses publicly available tools like Cobalt Strike, mimikatz, and PowerShell scripts for initial access, lateral movement, and privilege escalation. They employ LockBit 3.0 ransomware and Shamoon-based wipers to destroy infrastructures. Twelve exfiltrates sensitive data and posts it on Telegram. The group shares infrastructure with DARKSTAR, suggesting a possible syndicate. Their primary objectives are to destroy critical assets, disrupt business, steal sensitive data, and discredit victims.