Brother
Professional
- Messages
- 2,590
- Reaction score
- 483
- Points
- 83
Specialists of the F. A. C. C. T. Digital Forensics Laboratory are recording new attacks by the Comet (formerly Shadow) / Twelve crime syndicate and their associates on Russian companies.
In fact, we have a "dual-use"group. As Twelve, members of this criminal syndicate conduct cyber-sabotage and destroy victims ' infrastructure for political reasons. In some cases, attackers openly take responsibility for successful attacks on government organizations or manufacturing companies. And, as it was recently with one of the Russian factories of semiconductor devices, criminals are not averse to even mock the victim in their Telegram channel.
Attacks on behalf of Comet (formerly Shadow) are usually not advertised by cybercriminals, as they pursue financial gain. They first steal and encrypt the victim's data, and then demand a ransom for decrypting it.
At the same time, among the accomplices of the Comet (formerly Shadow) / Twelve group are members who previously "lit up" in the ranks of the notorious Russian-speaking criminal group Cobalt, which at one time Europol accused of stealing about 1 billion euros from 100 banks around the world.
In a recent report, Positive Technologies described the tools used by the Cobalt group, which were not only recorded by specialists of the F. A. C. C. T. Digital Forensics Laboratory in research, but also made it possible to link the politically motivated Twelve with the financially motivated Comet (formerly Shadow) by specific signs.
Tools and network infrastructure
In the process of developing Comet (formerly Shadow) / Twelve attacks, the following malware families are used:
Along with common tools, as well as identical tactics, techniques, and procedures, the group and its accomplices use a common network infrastructure to conduct attacks. This has been repeatedly noted by F. A. C. C. T. experts. Below is a list of addresses that have been used by attackers in attacks since February 2023:
Another of the" business cards "of the criminal syndicate was the "hijacking" of Telegram accounts from the workstations of users of compromised infrastructure. It is worth noting that among the list of devices, you will not be able to see the devices of intruders, because they use the stolen token of an authorized system. To prevent attackers from accessing your Telegram account, you must terminate all third-party sessions from your mobile device.
A Brief History of Shadow-Comet-Twelve
Comet (formerly Shadow) is a financially motivated ransomware group that first steals confidential data from the victim's infrastructure, then encrypts it and extorts a ransom for decrypting it. According to information obtained by F. A. C. C. T. experts in the course of research, the maximum amount of ransom required by attackers in 2023 was $3.5 million.
The Twelve group is a politically motivated group that, as a result of its attacks, first steals confidential data from the victim's infrastructure, and then destroys its IT infrastructure by irreversibly encrypting and deleting data. Further, the attackers publish the stolen information in various public sources, and also use it to conduct cascading attacks on the victim's counterparties.
After the publication, in which experts of the company F. A. C. C. T. concluded that Shadow and Twelve are essentially one hack group with common tools, techniques, and in several attacks — and with a common network infrastructure, the Shadow group rebranded, taking the name Comet (C0met).
In fact, we have a "dual-use"group. As Twelve, members of this criminal syndicate conduct cyber-sabotage and destroy victims ' infrastructure for political reasons. In some cases, attackers openly take responsibility for successful attacks on government organizations or manufacturing companies. And, as it was recently with one of the Russian factories of semiconductor devices, criminals are not averse to even mock the victim in their Telegram channel.
Attacks on behalf of Comet (formerly Shadow) are usually not advertised by cybercriminals, as they pursue financial gain. They first steal and encrypt the victim's data, and then demand a ransom for decrypting it.
At the same time, among the accomplices of the Comet (formerly Shadow) / Twelve group are members who previously "lit up" in the ranks of the notorious Russian-speaking criminal group Cobalt, which at one time Europol accused of stealing about 1 billion euros from 100 banks around the world.
In a recent report, Positive Technologies described the tools used by the Cobalt group, which were not only recorded by specialists of the F. A. C. C. T. Digital Forensics Laboratory in research, but also made it possible to link the politically motivated Twelve with the financially motivated Comet (formerly Shadow) by specific signs.
Tools and network infrastructure
In the process of developing Comet (formerly Shadow) / Twelve attacks, the following malware families are used:
- DarkGate
- FaceFish
- SystemBC
- Cobint / Cobalt Strike
Along with common tools, as well as identical tactics, techniques, and procedures, the group and its accomplices use a common network infrastructure to conduct attacks. This has been repeatedly noted by F. A. C. C. T. experts. Below is a list of addresses that have been used by attackers in attacks since February 2023:
- 192.210.160[.]165
- 45.89.65[.]199
- 5.181.234[.]58
- 5.252.177[.]181
- 62.113.116[.]211
- 78.46.109[.]143
- 88.218.61 [,]114
- 94.103.88[.] 115
- 94.103.91[.]56
- 94.158.247[.]118
- 193.201.83[.]18
- 45.11.181[.]206
- 212.118.54[.]88
- 193.201.83[.]17
- popslunderflake[.]top
- getanaccess [.] net
- kavupdate[.]com
- fsbkal[.]com
- logilokforce[.]com
- onexboxlive[.]com
- stoloto[.]ai
- ptnau[.]com
- dnssign[.]xyz
- ukr-net[.]website
| Important: if you record any activity with the resources of a criminal syndicate or illegitimate activity with the NGROK program infrastructure (*. ngrok[.<url>) and Anydesk (.net.anydesk[.]com) F. A. C. C. T. experts recommend contacting the incident response team-the F. A. C. C. T. Digital Forensics and Malware Research Laboratory, which will help you respond to the incident and minimize possible risks in cases of forcing events. |
Another of the" business cards "of the criminal syndicate was the "hijacking" of Telegram accounts from the workstations of users of compromised infrastructure. It is worth noting that among the list of devices, you will not be able to see the devices of intruders, because they use the stolen token of an authorized system. To prevent attackers from accessing your Telegram account, you must terminate all third-party sessions from your mobile device.
A Brief History of Shadow-Comet-Twelve
Comet (formerly Shadow) is a financially motivated ransomware group that first steals confidential data from the victim's infrastructure, then encrypts it and extorts a ransom for decrypting it. According to information obtained by F. A. C. C. T. experts in the course of research, the maximum amount of ransom required by attackers in 2023 was $3.5 million.
The Twelve group is a politically motivated group that, as a result of its attacks, first steals confidential data from the victim's infrastructure, and then destroys its IT infrastructure by irreversibly encrypting and deleting data. Further, the attackers publish the stolen information in various public sources, and also use it to conduct cascading attacks on the victim's counterparties.
After the publication, in which experts of the company F. A. C. C. T. concluded that Shadow and Twelve are essentially one hack group with common tools, techniques, and in several attacks — and with a common network infrastructure, the Shadow group rebranded, taking the name Comet (C0met).
