Twelve

Twelve is a hacktivist group that Kaspersky reported as conducting destructive cyberattacks against Russian targets, including operations intended to cripple victim networks and disrupt business operations. Kaspersky believes the group formed in April 2023 following the onset of the Russo-Ukrainian war. Its activity is characterized by prioritizing maximum disruption over direct financial gain: Twelve encrypts victim data and then deploys a wiper to prevent recovery, and it has also conducted hack-and-leak operations by exfiltrating sensitive information and publishing it on Telegram. Kaspersky reported that Twelve commonly begins intrusions by abusing valid local or domain accounts for initial access. The group uses RDP for lateral movement, including via victim contractors; in some cases, attackers accessed a contractor’s infrastructure and used its certificate to connect to a customer’s VPN. Malicious RDP sessions were tunneled through ngrok. Reported tooling includes Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec. Twelve also used PHP web shells, including WSO, and in one investigated incident exploited VMware vCenter vulnerabilities CVE-2021-21972 and CVE-2021-22005 to deploy a web shell and then a backdoor dubbed FaceFish. For post-compromise activity, Kaspersky reported that Twelve used PowerShell to add domain users and groups and modify ACLs for Active Directory objects. The group used masquerading for defense evasion, disguising malware and scheduled tasks under names such as "Update Microsoft," "Yandex," "YandexUpdate," and "intel.exe," and used a PowerShell script named "Sophos_kill_local.ps1" to terminate Sophos security processes. Windows Task Scheduler was used to launch ransomware and wiper payloads. Before destructive actions, Twelve gathered and exfiltrated sensitive victim data via DropMeFiles in ZIP archives. Kaspersky reported that Twelve used a version of LockBit 3.0 ransomware compiled from publicly available source code to encrypt data, and then deployed a wiper identical to Shamoon that rewrites the MBR and overwrites file contents with random bytes. Kaspersky stated that Twelve appears to rely primarily on publicly available malware and tools rather than custom development. Kaspersky identified infrastructural and tactical overlaps between Twelve and DARKSTAR, also known as COMET or Shadow, and suggested they may be related or part of the same activity cluster, while noting DARKSTAR follows a classic double-extortion model and Twelve is hacktivist in nature. Kaspersky also reported overlaps between Twelve and other Russia-targeting groups including BlackJack, MorLock, Crypt Ghouls, and Shedding Zmiy (ExCobalt), with shared or overlapping tooling and infrastructure complicating attribution. In a follow-up analysis published on September 25, 2024, Kaspersky noted overlaps between Twelve and BlackJack, which also used Shamoon and LockBit in attacks.