Cataclysmic cyberattacks involving public tools have been launched by the Twelve hacktivist operation against Russia since its emergence in April 2023, according to The Hacker News.
After obtaining initial access via local or domain account exploitation, Twelve proceeds to leverage Remote Desktop Protocol to facilitate further infrastructure penetration, as well as utilize other tools, including Cobalt Strike, Chisel, Mimikatz, Advanced IP Scanner, and PsExec to steal credentials, map networks, and escalate privileges, a report from Kaspersky revealed. Attacks by the hacktivist group also involved the delivery of several webshells with arbitrary command execution, file transfer, and email distribution capabilities, as well as a number of PowerShell scripts enabling Access Control List modifications and Sophos security software process termination, before launching a LockBit 3.0 ransomware variant and a Shamoon malware-like wiper that terminated processes and overwritten file contents, respectively. Further analysis of the operation discovered similarities with the DARKSTAR ransomware gang, also known as Shadow or Comet. "...[W]hereas Twelve's actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern. This variation of objectives within the syndicate underscores the complexity and diversity of modern cyber threats," researchers added.
