In the world of cybercrime, nothing is ever as it seems. Hacktivist groups like BlackJack remind us of this truth with their unique blend of socio-political mischief and outright destruction. In a recent report by Kaspersky’s Securelist (yes, the folks who know everything about everything malware), we’re introduced to this rogue cybercrime group, which surfaced in late 2023. But here’s the kicker: BlackJack isn’t just another hacktivist group making noise online. Oh no, they’ve stirred up more than just digital mayhem—they’ve triggered uncanny parallels with a familiar name in hacktivism: the Twelve group.
BlackJack may not have the deep pockets or sophisticated tools of an APT (Advanced Persistent Threat), but what they lack in budget, they more than make up for with ingenuity and a penchant for chaos. And as if that wasn’t enough, Securelist’s research has uncovered suspicious links between BlackJack and Twelve. It’s like finding out your two favorite villains have been sharing notes all along. Let’s unpack what this means for cybersecurity—and why it’s fascinating in a twisted sort of way.
Who Are the BlackJack Group?
BlackJack isn’t out to steal your money—nope, they’re aiming for something far more destructive. This group has claimed responsibility for several attacks on Russian organizations, though not all of their escapades have been made public. Their weapons of choice? Open-source and freely available software. Think of them as the “bargain bin hackers,” yet still every bit as lethal. Among their tools, you’ll find the Shamoon wiper, a notorious malware capable of wiping hard drives clean as if they were never used. Oh, and let’s not forget their use of a leaked version of LockBit ransomware—because nothing says “we mean business” like borrowed destructive tools.
BlackJack doesn’t care about ransoms, though. Their aim is more reminiscent of a digital vandal: create chaos, destroy data, and leave a trail of wreckage. The ransom notes they leave are almost just for show, making it clear that they have no intention of negotiating for Bitcoin or any other currency. Their motives? Mostly political, as evidenced by their focus on Russian organizations and government entities.
A DIY Cyber Attack Kit: BlackJack’s Favorite Tools
BlackJack is not your typical, flashy cybercrime syndicate. They don’t mess with custom-built malware that takes months of development—no, they’re more like a punk band with a few cheap instruments and a lot of attitude. They use open-source software that anyone with a Wi-Fi connection can grab, but in their hands, these tools are as dangerous as any high-end, government-backed malware.
Here’s a quick look at their minimalist toolkit:
- Shamoon Wiper: This piece of malware can delete everything on a target machine, rendering it inoperable. BlackJack has given Shamoon a bit of a facelift, rewriting parts of it in Go, which keeps it lightweight but every bit as devastating.
- LockBit Ransomware: While typically used to extort victims for cash, BlackJack uses a leaked version of LockBit not for monetary gain, but just for the sheer thrill of wiping systems. It’s like borrowing your neighbor’s baseball bat just to smash your own windows. They clearly aren’t in it for the payday.
- Ngrok: A favorite tunneling tool, Ngrok lets them bypass pesky firewalls and maintain persistent access to compromised systems. It’s essentially their “get back in” card, letting them create covert tunnels that allow remote control long after the initial breach.
All of this adds up to one alarming reality: you don’t need fancy tools to wreck systems. You just need to know how to weaponize the everyday ones.
It’s Not About the Money—It’s About the Message
Unlike traditional cybercrime groups that are in it for the Bitcoin, BlackJack is purely in it for the chaos. Their use of LockBit ransomware is a clear indicator. They don’t actually care about ransoms; their goal is to leave networks in ruins. The ransom notes they leave are almost an afterthought—symbolic reminders that they could extort you if they wanted to, but instead, they’d rather just burn your network to the ground.
This twist puts BlackJack in a unique position among hacktivist groups. Most ransomware attacks are about profit; BlackJack’s attacks are about sending a message. They target organizations based in Russia, causing as much damage as possible without bothering with the usual “pay us or else” ultimatum. If that’s not the ultimate flex in the hacktivist world, what is?
A Strange Déjà Vu: The Connection to Twelve
Now, this is where things get weird. It turns out that BlackJack’s antics bear a suspicious resemblance to another hacktivist group: Twelve. If you haven’t heard of Twelve, they’re infamous for using publicly available malware in their attacks and wreaking havoc on similar targets—like two peas in a destructive pod.
Here’s the catch: BlackJack’s malware samples have almost identical code to those used by Twelve. Both groups have a soft spot for LockBit ransomware and the Shamoon wiper, and they even store their malicious files in nearly identical directories on compromised systems. Coincidence? Probably not. The overlap is too uncanny to ignore.
Identical Tools, Identical Havoc
Let’s break down the malware connections:
- LockBit Ransomware: Both groups use this destructive malware, but it’s the same leaked version with eerily similar exclusion lists (the files, directories, and extensions they decide to leave untouched). Why would two different groups use the exact same configuration? You guessed it—there’s likely some level of coordination or, at the very least, shared resources.
- Shamoon Wiper: Both BlackJack and Twelve love their wipers, especially Shamoon. And not just any version—theirs have been slightly tweaked (rewritten in Go) but are otherwise carbon copies of each other. It’s like watching two different chefs prepare the same meal with the exact same recipe.
Even their attack methodologies line up: they breach networks, plant their ransomware or wiper in identical directories, and then sit back while their malware goes to work. At this point, the only significant difference is the name slapped on the ransom note.
Who’s Really Behind the Curtain?
The evidence suggests that BlackJack and Twelve might not be two separate entities at all. Perhaps they’re two sides of the same hacktivist coin, or maybe they share resources, tips, and even malware samples. It’s all part of a larger, more coordinated hacktivist cluster aimed squarely at destabilizing Russian organizations. We may never know the full story, but the breadcrumbs are there for anyone willing to follow the trail.
Attack Methodology: Simple Yet Devastating
BlackJack and Twelve’s attacks may seem straightforward, but they’re brutally effective. By sticking to publicly available tools and targeting networks in a surgical manner, they’ve managed to pull off attacks that leave organizations reeling. Here’s a breakdown of how they typically work:
- Initial Breach: The attackers use legitimate remote access tools like PuTTY and AnyDesk to worm their way into target networks. It’s the hacking equivalent of using a master key—nothing flashy, just effective.
- Spreading the Infection: Once inside, they plant their malicious payloads in shared directories like
Sysvol\domain\scriptsorC:\ProgramData. These directories allow them to spread their ransomware or wipers across entire networks. - Pulling the Trigger: After setting up, they execute their malware using scheduled tasks, which ensure their payloads run at specific times. This precision allows them to wreak maximum havoc at the most opportune moment.
- Sticking Around: Even after the dust settles, BlackJack makes sure they can come back for more, thanks to ngrok. The tool lets them tunnel back into compromised systems long after their initial attack, making detection and clean-up that much harder.
The Larger Implications: When Simple Tools Create Complex Problems
What’s terrifying about BlackJack is how they’ve turned basic, easily accessible tools into a devastating cyber weapon. Their attacks serve as a stark reminder that you don’t need fancy, nation-state level malware to bring down networks. A wiper here, a ransomware sample there, and you can cause some serious damage with little more than elbow grease and an internet connection.
So what’s the moral of the story? If BlackJack can achieve this level of destruction with publicly available tools, what could more sophisticated groups achieve? It’s enough to keep any cybersecurity professional up at night.
FAQs: Breaking It Down Further
What’s the BlackJack group’s primary goal?
Unlike traditional cybercriminal groups, BlackJack isn’t after financial gain. They aim to cause as much damage as possible to Russian organizations by deploying malware like Shamoon and LockBit, often wiping or encrypting data without demanding ransom.
How are BlackJack and Twelve connected?
The two groups share a disturbingly similar toolkit. Both use versions of Shamoon and LockBit, with overlapping attack methods, indicating a possible collaboration or shared resources.
How does BlackJack maintain access after their initial attack?
They use ngrok, a tunneling tool that creates covert channels back into the compromised network, allowing them to regain access even after detection.
What’s so dangerous about BlackJack’s attacks?
Their simplicity. By using widely available tools and software, BlackJack demonstrates that you don’t need advanced or custom-built malware to cause catastrophic damage.
Are BlackJack’s attacks preventable?
Yes, but it requires diligence. Network segmentation, regular patching, and continuous monitoring of suspicious activity are essential to defending against such attacks.
Conclusion: Chaos, But With a Purpose
At the end of the day, BlackJack and Twelve aren’t just causing destruction for the sake of it—they’re sending a message. Whether they’re the same group or just closely related hacktivist buddies, their goal is clear: destabilize, disrupt, and damage. And they’re doing it using free tools that anyone can find online.
So, the next time you update your network security, just remember: it doesn’t take a well-funded cybercriminal group to wreak havoc. Sometimes, all it takes is a copy of ngrok, a little malware, and a whole lot of bad intentions.
