The formation of a threat actor in 2023 has raised concerns as they have been targeting Russian government organizations with ransomware attacks. This threat actor specializes in encrypting and deleting victim data, exfiltrating sensitive information, and inflicting maximum damage on critical assets within these organizations.
The attackers utilize a tactic of scanning IP address ranges in Russia to identify VPN servers and applications that could serve as entry points into target organizations or their contractors. By exploiting vulnerabilities in contractors’ infrastructure, they gain access to their customers’ networks using stolen credentials and RDP to move laterally and compromise sensitive systems.
One of the primary methods used by the threat actor is deploying various web shells, primarily in PHP, to compromise web servers. These shells allow them to execute commands, move files, and send emails. Many of these shells are publicly available tools found in common locations like Bitrix folders.
Exploiting vulnerabilities such as CVE-2021-21972 and CVE-2021-22005 in vCenter Server, the attackers deploy web shells and load the FaceFish backdoor, which injects itself into the SSH process. By using PowerShell and net.exe, they add domain accounts and groups, modify ACLs, and distribute malware through the task scheduler and group policies to gain control over the domain infrastructure.
To evade detection, the threat actor disguises malware and tasks under legitimate names, clears event logs and RDP connection history, and uses tools like Cobalt Strike and PowerShell for command and control operations and payload distribution. They also employ Ngrok to create a remote access tunnel to compromised systems, disguising it as a legitimate system service listening on port 3389.
The adversaries use self-written scripts like ps1 and bat to disable security software and potentially gather domain information. Task Scheduler is used to execute malicious tasks with ransomware and wipers on all domain machines, triggered by group policy modifications and copying malicious files from a network share.
Additionally, tools like mimikatz, reg.exe, ntdsutil.exe, and All-In-One Password Recovery Pro are used to extract credentials from compromised systems, enabling lateral movement within the victim’s network. Sensitive victim data is extracted using Telegram’s cached data folder, compromising privacy and potentially enabling account impersonation.
LockBit 3.0 ransomware is deployed to encrypt data and spread via group policies and PowerShell scripts, terminating security software and deleting event logs. A publicly available wiper is also used to destroy data by overwriting MBR, file contents, and metadata before deleting itself and shutting down the system.
According to Kaspersky, Twelve is a hacktivist group focused on causing maximum damage to target organizations through data destruction and infrastructure disruption using publicly available tools. Their actions highlight the importance of cybersecurity measures to protect against such threats and secure sensitive information within organizations.
Overall, the threat actor’s tactics represent a significant risk to Russian government organizations and underscore the need for enhanced cybersecurity measures to mitigate the impact of ransomware attacks and data breaches on critical assets.