Threat Research

“Uncovering Connections: From 12 to 21 in the Twelve and BlackJack Groups”

SecureList

Two hacktivist groups, BlackJack and Twelve, show overlapping TTPs, tools, and malware targeting Russian organizations, suggesting they belong to a single activity cluster. The report highlights Shamoon wipers, LockBit ransomware, and shared infrastructure like ngrok and remote access utilities, underscoring a broader, non-financial damage objective. Hashtags: #Shamoon #LockBit #BlackJack #Twelve #Ngrok #AnyDesk #PuTTY

Keypoints

  • BlackJack is a hacktivist group targeting Russian organizations, emerging in late 2023.
  • The group uses open-source tools like Shamoon wiper and LockBit ransomware.
  • Both BlackJack and Twelve share similar malware and tactics, suggesting they may belong to the same activity cluster.
  • Malware samples from both groups were found in identical directories, indicating coordinated operations.
  • Both groups aim to cause damage rather than financial gain, focusing on encrypting and deleting data.
  • New activity resembling BlackJack and Twelve’s methods was also discovered, indicating a broader threat landscape.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Brief description of how it was used. Quote: “Both groups use ransomware (LockBit) to encrypt victim data.”
  • [T1485] Data Destruction – Brief description of how it was used. Quote: “Utilization of Shamoon wiper to delete data.”
  • [T1219] Remote Access Tools – Brief description of how it was used. Quote: “Installation of remote access tools like AnyDesk and Radmin for persistent access.”
  • [T1053] Scheduled Task – Brief description of how it was used. Quote: “Creation of scheduled tasks to execute malware and wipers.”
  • [T1059] Command-Line Interface – Brief description of how it was used. Quote: “Use of PowerShell and command-line commands for executing tasks and malware.”

Indicators of Compromise

  • [Hash] context – 39B91F5DFBBEC13A3EC7CCE670CF69AD, ED5815DDAD8188C198E0E52114173CB6
  • [Hash] context – 5F88A76F52B470DC8E72BBA56F7D7BB2
  • [File name] context – bj.exe, wip.exe
  • [Directory/Path] context – Sysvoldomainscripts, C:ProgramData
  • [URL] context – https://securelist.com/blackjack-hacktivists-connection-with-twelve/113959/, https://securelist.com/twelve-group-unified-kill-chain/113877/
  • [Service] context – Radmin Server V3, AnyDesk Service
  • [Scheduled Task] context – run1, def
  • [Tool/Software] context – Ngrok, PuTTY
  • [Ransomware] context – LockBit
  • [Wiper] context – Shamoon

Read more: https://securelist.com/blackjack-hacktivists-connection-with-twelve/113959/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint