Man
Professional
- Messages
- 3,067
- Reaction score
- 598
- Points
- 113
Experts revealed the details of the joint group and its tactics.
Russian experts have published a detailed study of the activities of a "dual-use" hacker group called Shadow/Twelve, which actively attacks Russian organizations. In the report "Shadows Will Not Hide: An Investigation into the Attacks of the Shadow Group", experts analyzed many ransomware attacks by Shadow, Comet, DARKSTAR and hacktivists Twelve, providing technical evidence of a close connection between these groups.
From February 2023 to July 2024, the Shadow crime syndicate (also known as Comet and DARKSTAR) and Twelve attacked at least 50 Russian organizations. Researchers have determined that Shadow and Twelve are part of the same united group, dubbed Shadow. The group used identical tactics, techniques and procedures, constantly improving them. In addition, the group's unique handwriting was revealed when using tools, and some of the Shadow and Twelve attacks shared a network infrastructure.
This crime syndicate shows a new trend - "dual-use" groups that pursue both financial and political goals. At the same time, two seemingly different groups with opposite goals were carrying out ransomware attacks. "Subgroups" attacked Russian companies, but pursued different goals: Shadow sought to extort money, and Twelve sought to completely destroy the IT infrastructure of the victims.
Shadow most often attacked organizations in manufacturing and engineering (21.3%), logistics and delivery, IT (10.7% each), construction, telecommunications, and financial services (7.1% each). Later, this group changed its name to Comet and became the most "greedy" ransomware in 2023, demanding 321 million rubles (about $3.5 million) from one encrypted company, with an average initial ransom amount of 90 million rubles.
The attackers did not limit themselves to attacks on organizations, but also stole cryptocurrency from their employees. In some cases, they gained access to authentication data in browsers and password managers, which allowed them to penetrate cryptocurrency asset management platforms and steal individuals' funds.
Unlike Shadow, Twelve stated in its Telegram channel that it pursues exclusively political motives, seeking to steal confidential information, sabotage, and PR effect.
For the initial attack vector, the "dual-use" group exploits vulnerabilities in publicly available applications, trust relationships, credentials purchased on closed sites, external remote access services RDP and VPN, as well as phishing. Ransomware is created using publicly leaked builders and source codes of LockBit 3 (Black) and Babuk for ESXi. One of the distinguishing features of the group was the theft of Telegram accounts on victims' devices, which allowed them to spy on employees of the attacked companies and exert additional pressure.
Source
Russian experts have published a detailed study of the activities of a "dual-use" hacker group called Shadow/Twelve, which actively attacks Russian organizations. In the report "Shadows Will Not Hide: An Investigation into the Attacks of the Shadow Group", experts analyzed many ransomware attacks by Shadow, Comet, DARKSTAR and hacktivists Twelve, providing technical evidence of a close connection between these groups.
From February 2023 to July 2024, the Shadow crime syndicate (also known as Comet and DARKSTAR) and Twelve attacked at least 50 Russian organizations. Researchers have determined that Shadow and Twelve are part of the same united group, dubbed Shadow. The group used identical tactics, techniques and procedures, constantly improving them. In addition, the group's unique handwriting was revealed when using tools, and some of the Shadow and Twelve attacks shared a network infrastructure.
This crime syndicate shows a new trend - "dual-use" groups that pursue both financial and political goals. At the same time, two seemingly different groups with opposite goals were carrying out ransomware attacks. "Subgroups" attacked Russian companies, but pursued different goals: Shadow sought to extort money, and Twelve sought to completely destroy the IT infrastructure of the victims.
Shadow most often attacked organizations in manufacturing and engineering (21.3%), logistics and delivery, IT (10.7% each), construction, telecommunications, and financial services (7.1% each). Later, this group changed its name to Comet and became the most "greedy" ransomware in 2023, demanding 321 million rubles (about $3.5 million) from one encrypted company, with an average initial ransom amount of 90 million rubles.
The attackers did not limit themselves to attacks on organizations, but also stole cryptocurrency from their employees. In some cases, they gained access to authentication data in browsers and password managers, which allowed them to penetrate cryptocurrency asset management platforms and steal individuals' funds.
Unlike Shadow, Twelve stated in its Telegram channel that it pursues exclusively political motives, seeking to steal confidential information, sabotage, and PR effect.
For the initial attack vector, the "dual-use" group exploits vulnerabilities in publicly available applications, trust relationships, credentials purchased on closed sites, external remote access services RDP and VPN, as well as phishing. Ransomware is created using publicly leaked builders and source codes of LockBit 3 (Black) and Babuk for ESXi. One of the distinguishing features of the group was the theft of Telegram accounts on victims' devices, which allowed them to spy on employees of the attacked companies and exert additional pressure.
Source
