Cybersecurity researchers have recently made a significant breakthrough in uncovering a connection between two hacktivist groups known as BlackJack and Twelve. This discovery sheds light on their shared tactics, techniques, and procedures (TTPs), indicating a potential collaboration or mutual objectives between the two groups.
The revelation of shared tools, malware, and similar attack patterns targeting Russian entities has sparked interest and concern within the cybersecurity community. This finding suggests a level of sophistication in the methods employed by these groups and raises questions about their motivations and intentions.
BlackJack, which emerged in late 2023, has gained notoriety for its attacks on Russian companies and government agencies. The group’s Telegram channel has openly declared its mission to exploit vulnerabilities in Russian networks, with over a dozen attacks attributed to them by June 2024. BlackJack’s reliance on readily available software tools like PuTTY and Shamoon sets it apart from more advanced threat actors who often develop proprietary tools.
Twelve, the other group under scrutiny, shares many similarities with BlackJack in terms of target selection and tool usage. Both groups have been found to employ publicly available software for their attacks, demonstrating a resourcefulness that compensates for a lack of more advanced capabilities. The discovery of common malware samples and attack methodologies through Kaspersky’s telemetry and threat intelligence solutions underscores the overlapping nature of their operations.
An in-depth analysis of the investigation reveals that both BlackJack and Twelve have used similar versions of the Shamoon wiper and LockBit ransomware in their campaigns. The use of these malware samples in identical directories across different attacks indicates a systematic approach to spreading malicious code throughout targeted infrastructures.
Remote access tools (RATs) play a crucial role in maintaining persistent access to compromised systems for both groups. While BlackJack relies on tools like AnyDesk for external connections, Twelve utilizes PuTTY for SSH connections within the networks they target. This consistent use of RATs highlights the importance of maintaining access for reconnaissance, data theft, and further exploitation.
The investigation also uncovered shared commands and procedures used by both groups for tasks like creating scheduled jobs and clearing event logs. These standardized procedures reflect a methodical approach to carrying out attacks while evading detection. The similarity in TTPs between BlackJack and Twelve suggests a level of coordination or a common objective in their operations, particularly against Russian entities.
The impact of these groups’ activities has been felt predominantly in Russia’s government, telecommunications, and industrial sectors. Their focus on disrupting operations, data manipulation, and information theft underscores the malicious intent behind their attacks. The discovery of shared TTPs between BlackJack and Twelve highlights the evolving threat landscape posed by hacktivist groups and underscores the need for enhanced cybersecurity defenses.
As organizations face the challenge of mitigating risks posed by these groups, understanding the connections between disparate threat actors can provide valuable insights into their strategies and motives. By staying vigilant and adapting their defenses to combat evolving threats, organizations can better protect themselves against cyber attacks orchestrated by hacktivist groups.
In conclusion, the revelation of a connection between BlackJack and Twelve sheds light on the collaborative nature of threat actors in the cyber domain. By studying their shared tactics and methodologies, cybersecurity professionals can enhance their defenses and respond more effectively to the evolving threat landscape.