Cybersecurity has always been a cat-and-mouse game, but lately, the mouse has evolved into a full-fledged menace. Enter -=TWELVE=-, a group of hacktivists that don’t care much for your sensitive data—except when it comes to exposing it. You might have heard about ransomware gangs, but here’s the fun twist: Twelve doesn’t seem interested in your Bitcoin wallet. Instead, they’ll just wipe your servers clean, laugh at your misery, and casually post your secrets online for the world to see. Lovely, right?
Before diving into the chaos this group brings, credit where it’s due—Kaspersky’s Securelist has been monitoring Twelve’s antics and released a detailed analysis, breaking down their methods, tools, and objectives. It’s thanks to their investigative deep-dive that we have a clearer picture of just how destructive (and honestly, kind of relentless) Twelve has become in the cyber world. So, let’s take a closer look at how Twelve isn’t just another ransomware group—they’re something far worse.
Who Is -=TWELVE=- and Why Should You Care?
Twelve’s roots trace back to April 2023, set against the chaotic backdrop of the Russian-Ukrainian conflict. But before you start thinking they’re just another politically motivated hacker group, let’s make one thing clear: their modus operandi is absolute chaos. Sure, they may have started out targeting Russian government organizations, but their focus has shifted far beyond borders. And if you think your average small business is safe, think again.
This group doesn’t just lock up your data. No, no. They go the extra mile by deleting it, ensuring that whatever headaches you had before quickly evolve into a full-blown corporate migraine. Their strategy? Damage as much as possible and cause mayhem that leaves businesses crippled.
Double the Chaos, Double the Fun: Twelve’s Close Friends
In the world of ransomware and wipers, you’d expect lone wolves. But Twelve? Nah. They share infrastructure, techniques, and even tools with other notorious cyber groups. Case in point: their cozy relationship with a group once known as Shadow or COMET. While Twelve prefers the scorched-earth strategy of wiping out your data, their buddies, like DARKSTAR, stick to the traditional ransomware game—because why not keep things diverse? It’s like they’re tag-teaming the cyber realm, making sure no one gets too comfortable.
The Classic Kill Chain Gets an Upgrade (Or, You Know, Twelve Just Wants to Watch the World Burn)
You’ve probably heard of the Unified Kill Chain—cybersecurity’s way of explaining how attacks move from point A (getting in) to point Z (completely owning your systems). But when it comes to Twelve, you might want to add a few more letters to that alphabet because they don’t just follow the script—they rip it apart.
1. Reconnaissance: Spying on You, Probably as We Speak
Twelve loves a good recon mission. They aren’t just flying blind into systems. Instead, they scan IP address ranges across Russia (and likely elsewhere) to identify VPN servers, applications, and whatever else they can use as a backdoor. Do they use cutting-edge tools? Nope. They use well-known, freely available tools. It’s like breaking into Fort Knox using a crowbar from Walmart. You almost want to respect the audacity.
2. Initial Access: Hello? It’s Twelve Calling
Most of the time, Twelve gets in through valid credentials. Maybe it’s a stolen VPN certificate from one of your contractors (oops). After that, it’s all downhill for the target. They use RDP (Remote Desktop Protocol) to move laterally within systems, often connecting to a victim’s infrastructure through a compromised contractor. Once they’re in, it’s like giving the fox the keys to the henhouse. Have fun cleaning up that mess.
3. Exploitation: Web Shells, Anyone?
If you thought exploitation was hard, think again. Twelve uses good ol’ PHP web shells to execute commands, move files, and pretty much do whatever they please. Imagine using a command line to send your organization’s secrets straight into their hands. They even use simple one-liners like remailer scripts to spread havoc. Think that sounds too basic for a “sophisticated” attack group? It gets worse.
4. Credential Theft: Hello, Mimikatz
Twelve’s favorite tool to harvest credentials? Mimikatz. They disguise it as something as innocuous as “calculator.exe,” because why wouldn’t you open a calculator, right? And let’s be honest—many would. Once you do, congratulations! You’ve handed over your domain credentials on a silver platter. They don’t stop there, though. They dump credentials using tools like ntdsutil.exe and extract registry hives with XenArmor’s Password Recovery Pro. Yeah, they’ve thought of everything.
5. Lateral Movement: Now You See Me, Now You Don’t
Moving through networks? Easy peasy. They love using RDP (again) and even PsExec to jump between systems. It’s like watching a ninja move silently through the dark—except this ninja isn’t after gold; they’re after your entire IT environment. They’ll even tunnel traffic using ngrok, giving themselves all the cover they need to wreak havoc without raising too many red flags.
The Big Finale: Ransomware? Nope, Just Kidding. Let’s Delete Everything.
Twelve isn’t just about locking up your data. Oh, no. After their initial attack, they’ll follow it up with a killer blow: wipers. These bad boys erase everything. So, if you thought you could negotiate your way out of the situation, think again. Twelve would rather watch your infrastructure go up in flames than receive a ransom. In fact, they’re not even concerned about leaving contact details for negotiation.
The wiper tools they use are also open-source. Talk about minimal investment for maximum damage. One of their tools rewrites your Master Boot Record (MBR), so the next time you boot up your system, all you’ll see is a charming “From Iran with love – Shamoon” message. How quaint.
The Best Part? They’ll Publish Your Secrets on Telegram
Not only will Twelve destroy your data, but they’ll also leak whatever sensitive information they come across on their Telegram channel. While that channel was briefly taken down, don’t let that fool you. These folks are resilient. They’ll just pop back up under a new handle, like any good cyber-villain.
FAQs: The “Why Me?” Edition
How does Twelve gain access to systems?
Twelve typically gets in by exploiting weak links in the supply chain, often through compromised contractors. Once in, they use valid VPN or SSH certificates to access your systems. If you think your contractor’s security is their problem, think again—it’s yours too.
Is Twelve interested in ransom payments?
Nope. Unlike your traditional ransomware gangs, Twelve’s endgame isn’t about extortion. They’ll encrypt your data but won’t offer you the decryption key. Instead, they’ll destroy everything with a wiper and casually walk away. Savage, right?
Can businesses protect themselves from Twelve?
While it’s tough to stay ahead of the game, basic cybersecurity hygiene—strong passwords, multi-factor authentication, and regular patching—goes a long way. But let’s be real: if Twelve sets their sights on you, you’re in for a bumpy ride.
What tools does Twelve use?
They lean on freely available tools, including Cobalt Strike, Mimikatz, and web shells. Why make your own when the internet is a buffet of perfectly usable malware?
Conclusion: What’s Next in the Wild Ride of -=TWELVE=-
As we’ve seen, Twelve isn’t like your average run-of-the-mill ransomware group. Their actions are designed to cause chaos, not line their pockets. From wiping entire infrastructures to publishing sensitive data for the world to see, they’ve become the cybercriminals you really don’t want knocking on your virtual door.
The key takeaway here? Cybersecurity is everyone’s responsibility, not just the IT team’s. If Twelve can sneak in through a contractor, no one is safe. So, next time you think about skipping that two-factor authentication or updating your password, just remember: Twelve might be watching.
Feeling slightly terrified? Great! Let’s channel that fear into action. Start by securing your systems, educate your employees on phishing scams, and maybe—just maybe—rethink your third-party vendor agreements. Don’t forget to subscribe to our newsletter for more tips on staying one step ahead of the chaos.
