Cyber Hacktivist Group “Twelve” Intensifies Attacks on Russian Entities

The notorious cyber hacktivist group “Twelve” has resurfaced, launching a series of devastating cyberattacks targeting key Russian entities in recent months. Known for their destructive methods, Twelve has made headlines once again by using highly disruptive tactics, including ransomware and wiper malware, designed to cripple the IT infrastructures of their targets without any financial gain. The group’s motivation appears rooted in hacktivism, aiming to disrupt and damage Russian organizations amidst ongoing geopolitical tensions.

Background of Twelve

Twelve first emerged in 2023, amidst the conflict between Russia and Ukraine. Their attacks have consistently targeted Russian government organizations and critical infrastructure. Rather than seeking ransom, Twelve’s approach has always been to cause as much operational damage as possible. This aligns with the group’s hacktivist ideology, which prioritizes disruption over monetary rewards.

What makes Twelve stand out is their ability to conduct sophisticated attacks using publicly available tools such as Cobalt Strike, mimikatz, and Advanced IP Scanner. They often gain initial access to systems through vulnerable points such as VPN servers or contractor networks, using these as stepping stones to infiltrate their primary targets. Their typical modus operandi includes exfiltrating sensitive data, encrypting systems, and deploying wipers to permanently erase critical files, making recovery incredibly challenging for the affected organizations.

Recent Wave of Attacks

In the past few months, Twelve’s attacks have become more frequent and more destructive. In their latest campaign, the group launched cyberattacks on various Russian government departments, financial institutions, and energy companies. Reports from cybersecurity firms indicate that Twelve is actively utilizing wiper malware in addition to ransomware techniques, suggesting a focus on not just causing operational downtime but also inflicting long-term damage to Russian infrastructure.

For instance, several Russian organizations have reported severe data loss, as attackers encrypted their files and then deployed malware that permanently deleted backups. These attacks echo similar strategies used by the group in early 2024, when they targeted Russian financial entities and exfiltrated sensitive data, only to later post it publicly on social media platforms like Telegram.

Twelve’s Tools and Tactics

The tools and techniques employed by Twelve are particularly notable because they are freely available and widely used by both ethical hackers and malicious actors. Their go-to arsenal includes Cobalt Strike, mimikatz for credential harvesting, and tools like CrackMapExec for lateral movement within networks. One of their most effective strategies is gaining access to a target’s infrastructure through compromised contractor accounts or VPN credentials. This allows them to bypass traditional security measures and move freely within an organization’s network.

Once inside, Twelve’s approach is swift and systematic. They tend to plant backdoors, such as PHP-based web shells, on compromised servers to maintain persistence. These backdoors allow them to continuously exfiltrate sensitive data or deploy more destructive malware, such as their signature wipers, which ensure that data is irretrievably lost. In some cases, they also employ ransomware to lock down systems, further complicating recovery efforts for their victims.

Potential Collaboration with Other Cybercriminals

Interestingly, Twelve’s recent activities have drawn parallels with the DARKSTAR ransomware group, formerly known as Shadow or COMET. Some cybersecurity analysts believe that the two groups share infrastructure and tactics, leading to speculation that they might be part of a larger cybercriminal syndicate. While DARKSTAR focuses more on financial extortion through classic double-extortion ransomware attacks, Twelve’s primary aim is pure disruption, likely driven by their political agenda rather than profit.

Global Reactions and Implications

The resurgence of Twelve’s attacks has heightened concerns globally, especially as Russia continues to be a focal point for hacktivist groups and cybercriminals alike. These attacks underscore the growing threat posed by politically motivated hackers in a world where cyber warfare is becoming increasingly common.

Russian authorities have struggled to cope with these recurring attacks. Efforts to mitigate the damage have been complicated by the group’s ability to remain hidden and adapt to new security defenses. Some organizations have reported that after restoring their systems, they were hit again by subsequent attacks, indicating that Twelve is persistent and well-prepared.

Looking forward, cybersecurity experts anticipate that Twelve will continue to evolve their methods, possibly leveraging more advanced tools and exploits in future attacks. The group’s alignment with other cybercriminal organizations also points to the potential for more coordinated and larger-scale operations.

In response, governments and organizations worldwide are reinforcing their cybersecurity strategies to defend against this and other emerging threats. However, the challenge remains considerable, as Twelve continues to exploit human and technical vulnerabilities to devastating effect.

Conclusion

As Twelve continues to target Russian entities with relentless cyberattacks, their actions highlight the critical importance of robust cybersecurity measures and the growing influence of hacktivism in modern conflicts. The group’s use of wiper malware and publicly available tools underscores the need for constant vigilance and preparedness in defending against such unpredictable and highly destructive actors.

For more details, you can refer to cybersecurity reports from sources such as SEPE and Kaspersky​(SEPE)​(Securelist).