Cyber Security News

Hacktivist Groups Operating Together! Connection Ober TTPs Uncovered

Cybersecurity experts have uncovered a significant connection between hacktivist groups BlackJack and Twelve through overlapping tactics, techniques, and procedures (TTPs).

This discovery illuminates the sophisticated methods employed by these groups and raises questions about their potential collaboration or shared objectives.

The findings reveal shared tools, malware, and similar attack patterns targeting Russian organizations.

This article delves into the details of the investigation, exploring the implications of these connections and what they mean for cybersecurity defenses.

Who are BlackJack and Twelve?

BlackJack

BlackJack emerged at the end of 2023 as a hacktivist group targeting Russian companies and government institutions.

Their stated goal, as communicated via their Telegram channel, is to exploit vulnerabilities within Russian networks.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free

By June 2024, BlackJack had claimed responsibility for over a dozen attacks, with additional unpublicized incidents suggesting their involvement.

The group relies on freely available and open-source software, such as the SSH client PuTTY and the wiper Shamoon, indicating a lack of resources typical of more sophisticated APT groups.

Contents of the LockBit ransom note

Twelve

The Twelve group shares many similarities with BlackJack regarding tools and targets. Like BlackJack, Twelve utilizes publicly available software for attacks, avoiding proprietary tools.

The overlap between these two groups was discovered through Kaspersky Security Network (KSN) telemetry and Kaspersky Threat Intelligence solutions, revealing shared malware samples and attack methodologies.

Overlapping Tactics and Tools

According to the SecureList report, both BlackJack and Twelve have been found using similar versions of the Shamoon wiper and LockBit ransomware.

The Shamoon wiper used by BlackJack is written in Go, while Twelve’s version also exhibits similar characteristics. These malware samples were found in identical directories across different attacks:

  • Sysvol\domain\scripts
  • \$$DOMAIN]\netlogon\
  • C:\ProgramData\

These specific directories allow attackers to spread malware efficiently across victim infrastructures.

Remote Access Tools

Both groups employ remote access tools (RATs) to maintain persistent access to compromised systems.

BlackJack initially attempted to use Radmin but ultimately relied on AnyDesk for external connections. Similarly, Twelve uses tools like PuTTY for SSH connections within targeted infrastructures.

Shared Commands and Procedures

The investigation revealed identical commands used by both groups for creating scheduled tasks and clearing event logs.

These commands highlight a systematic approach to executing attacks while maintaining stealth:

# Scheduled Task Creation

reg:\\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ID}:Actions","`powershell.exe` Copy-Item `\\[DOMAIN]\netlogon\bj.exe` -Destination `C:\ProgramData`

# Clearing Event Logs

powershell -command wevtutil el | Foreach-Object {Write-Host Clearing $_; wevtutil cl $_}

The significant overlap in TTPs between BlackJack and Twelve suggests collaboration or a shared objective against Russian targets.

While direct attribution remains challenging, the similarities in malware samples, attack methodologies, and target selection point towards a unified cluster of hacktivist activity.

Impact on Targeted Organizations

These groups’ activities have primarily affected Russia’s government, telecommunications, and industrial sectors.

Their attacks focus on causing maximum damage by encrypting, deleting, and stealing data rather than seeking financial gain.

The discovery of overlapping TTPs between BlackJack and Twelve underscores the evolving landscape of cyber threats posed by hacktivist groups.

Organizations must bolster their cybersecurity defenses to mitigate potential risks as these groups continue to refine their methods and collaborate on tactics.

Understanding the connections between seemingly disparate threat actors can provide valuable insights into their strategies and help develop more effective countermeasures.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

16 hours ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

16 hours ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

17 hours ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

17 hours ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

17 hours ago

DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

A new Mirai-based botnet, "Hail Cock Botnet," has been exploiting vulnerable IoT devices, including DigiEver…

17 hours ago