Brother
Professional
- Messages
- 2,590
- Reaction score
- 483
- Points
- 83
The company recorded new attacks of the group and their accomplices on Russian companies.
F. A. C. C. T. has discovered new cyberattacks by the Comet crime syndicate (also known as Shadow / Twelve) and their associates targeting Russian companies. Experts believe that they are dealing with a "dual-use" group and, in order to effectively counter cybercriminals, publish lists of tools and addresses that the attackers used in their attacks, starting from the beginning of 2023.
Comet, formerly known as Shadow, is a ransomware group that first steals confidential data, then encrypts it and demands a ransom for decryption. In 2023, the maximum requested buyout was $3.5 million.
The Twelve group is a politically motivated group that, as a result of its attacks, first steals confidential data from the victim's infrastructure, and then destroys its IT infrastructure by irreversibly encrypting and deleting data. Further, the attackers publish the stolen information in various public sources, and also use it to conduct cascading attacks on the victim's counterparties.
After the publication of the F. A. C. C. T. report, which revealed that Shadow and Twelve use the same tools and infrastructure, Shadow rebranded and became Comet.
At the same time, among the accomplices of Comet / Twelve, members of the Cobalt group were identified, which at one time Europol accused of stealing about 1 billion euros from 100 banks around the world. The Positive Technologies report revealed tools that were not only recorded by specialists of the F. A. C. C. T. Digital Forensics Laboratory in their research, but also made it possible to link the politically motivated Twelve with the financially motivated Comet (formerly Shadow) by specific signs.
Comet / Twelve attacks use malware, including DarkGate, FaceFish, SystemBC, and Cobint / Cobalt Strike. And at the final stage, ransomware programs of the LockBit 3 (Black) and Babuk families, created on the basis of leaked data, are used to encrypt data.
Along with common tools, as well as identical tactics, techniques, and procedures, the group and its accomplices use a common network infrastructure to conduct attacks.
Below is a list of addresses that have been used by attackers in attacks since February 2023:
F. A. C. C. T. has discovered new cyberattacks by the Comet crime syndicate (also known as Shadow / Twelve) and their associates targeting Russian companies. Experts believe that they are dealing with a "dual-use" group and, in order to effectively counter cybercriminals, publish lists of tools and addresses that the attackers used in their attacks, starting from the beginning of 2023.
Comet, formerly known as Shadow, is a ransomware group that first steals confidential data, then encrypts it and demands a ransom for decryption. In 2023, the maximum requested buyout was $3.5 million.
The Twelve group is a politically motivated group that, as a result of its attacks, first steals confidential data from the victim's infrastructure, and then destroys its IT infrastructure by irreversibly encrypting and deleting data. Further, the attackers publish the stolen information in various public sources, and also use it to conduct cascading attacks on the victim's counterparties.
After the publication of the F. A. C. C. T. report, which revealed that Shadow and Twelve use the same tools and infrastructure, Shadow rebranded and became Comet.
At the same time, among the accomplices of Comet / Twelve, members of the Cobalt group were identified, which at one time Europol accused of stealing about 1 billion euros from 100 banks around the world. The Positive Technologies report revealed tools that were not only recorded by specialists of the F. A. C. C. T. Digital Forensics Laboratory in their research, but also made it possible to link the politically motivated Twelve with the financially motivated Comet (formerly Shadow) by specific signs.
Comet / Twelve attacks use malware, including DarkGate, FaceFish, SystemBC, and Cobint / Cobalt Strike. And at the final stage, ransomware programs of the LockBit 3 (Black) and Babuk families, created on the basis of leaked data, are used to encrypt data.
Along with common tools, as well as identical tactics, techniques, and procedures, the group and its accomplices use a common network infrastructure to conduct attacks.
Below is a list of addresses that have been used by attackers in attacks since February 2023:
- 192.210.160[.]165
- 45.89.65[.]199
- 5.181.234[.]58
- 5.252.177[.]181
- 62.113.116[.]211
- 78.46.109[.]143
- 88.218.61 [,]114
- 94.103.88[.] 115
- 94.103.91[.]56
- 94.158.247[.]118
- 193.201.83[.]18
- 45.11.181[.]206
- 212.118.54[.]88
- 193.201.83[.]17
- popslunderflake[.]top
- getanaccess [.] net
- kavupdate[.]com
- fsbkal[.]com
- logilokforce[.]com
- onexboxlive[.]com
- stoloto[.]ai
- ptnau[.]com
- dnssign[.]xyz
- ukr-net[.]website
