TWELVE is a hacktivist-aligned group that surfaced during the Russia-Ukraine conflict, leaking real-person data on Telegram and later linking those actions to a June 2024 cyberattack, signaling ongoing activity. The group targets Russian state companies with data encryption and destruction while exfiltrating and publishing stolen data, and it shares infrastructure and techniques with the DARKSTAR ransomware cluster.
#TWELVE #DARKSTAR #LockBit3.0 #Shamoon #PowerView #Mimikatz #Ngrok #Telegram
Keypoints
- TWELVE emerged in the Russia-Ukraine conflict and focuses on Russian government-related targets.
- The group encrypts and destroys data, sometimes exfiltrating information to Telegram for public disclosure.
- In infrastructure and techniques, TWELVE shares elements with the DARKSTAR group, indicating possible shared operations or clustering.
- A broad toolkit is used, including ngrok, Cobalt Strike, mimikatz, and web shells; contractors’ infrastructure often provides initial access.
- Web shells, backdoors (FaceFish), and PowerShell-based persistence are core components of their operations.
- Discovery and lateral movement rely on tools like BloodHound, adPEAS, PowerView, RDP, and PsExec; defense evasion includes log cleanup and registry/tasks tampering.
- Ransomware (LockBit 3.0) and wipers are used to maximize disruption, with notable destructive indicators like a Shamoon-style wiper and MBR manipulation.
MITRE Techniques
- [T1193] Web Shells – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1193] Web Shells – Used for command execution and file manipulation. “Utilized PHP web shells for command execution and file manipulation.”
- [T1003] Mimikatz – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1003] Mimikatz – Used to dump credentials from memory. “Used to dump credentials from memory.”
- [T1064] Scripts – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1064] Scripts – Executed various PowerShell and batch scripts for operations. “Executed various PowerShell and batch scripts for operations.”
- [T1470] Ngrok – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1470] Ngrok – Used for tunneling traffic to maintain access. “Used for tunneling traffic to maintain access.”
- [T1203] Cobalt Strike – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1203] Cobalt Strike – Utilized for command and control communication. “Utilized for command and control communication.”
- [T1486] Ransomware – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1486] Ransomware – Deployed LockBit 3.0 ransomware to encrypt data. “Deployed LockBit 3.0 ransomware to encrypt data.”
- [T1485] Wiper – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1485] Wiper – Used wipers to destroy data and infrastructure. “Used wipers to destroy data and infrastructure.”
Indicators of Compromise
- [IP] Attacker infrastructure – 212.109.217.88, 195.2.79.195, and 109.205.56.229
- [Domain] Drop-me-files exfiltration domain – dropmefiles.net
- [File] Ransomware payloads – twelve.exe, enc.exe
- [File] Wiper payloads – intel.exe, wiper.exe
- [File] Web shell filenames (PHP) – F6d098f417.php, 3425b29f4e.php
- [File] Telegram tdata archive and related files – C:Users[User]AppDataRoamingTelegram Desktoptdatatdata.7z
- [URL] PowerView.ps1 source – https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Read more: https://securelist.ru/twelve-group-unified-kill-chain/110128/