Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
These groups are ready to go to the end for the sake of destroying IT resources.
Kaspersky Lab said that two hacktivist groups — Twelve and BlackJack — may be operating within the same structure. According to the results of research, both groups use similar malware and use the same methods of its distribution and execution. These groups first became more active at the end of 2023, launching attacks on companies based in Russia. Despite the fact that hackers position their actions as financially motivated, their main goal is to steal data and destroy IT infrastructure.
BlackJack, one of the groups, uses publicly available software in its attacks, such as the SSH client PuTTY and the leaked wiper Shamoon, which confirms their limited resources compared to larger cyber groups. In addition, they actively use the LockBit ransomware, which was created on the basis of leaked source code, and also use the ngrok tunneling tool to maintain constant access to infected systems.
Both groups are not limited to the use of malware only. They also use legitimate tools and utilities such as Radmin and AnyDesk to manage systems remotely. This widespread use of open and accessible tools makes their attacks less visible in the initial stages and makes them more difficult to track.
Studies have shown that the attacks of both groups follow the same scenarios: the malware is hosted in the same network directories, and the execution is carried out using a task scheduler. In addition to this, the methods of hiding traces, such as clearing event logs using PowerShell, are also identical for both groups.
Despite attempts to position their actions as financially motivated attacks, Twelve and BlackJack are rather aimed at destroying the IT environments of the affected organizations as much as possible.
Source
Kaspersky Lab said that two hacktivist groups — Twelve and BlackJack — may be operating within the same structure. According to the results of research, both groups use similar malware and use the same methods of its distribution and execution. These groups first became more active at the end of 2023, launching attacks on companies based in Russia. Despite the fact that hackers position their actions as financially motivated, their main goal is to steal data and destroy IT infrastructure.
BlackJack, one of the groups, uses publicly available software in its attacks, such as the SSH client PuTTY and the leaked wiper Shamoon, which confirms their limited resources compared to larger cyber groups. In addition, they actively use the LockBit ransomware, which was created on the basis of leaked source code, and also use the ngrok tunneling tool to maintain constant access to infected systems.
Both groups are not limited to the use of malware only. They also use legitimate tools and utilities such as Radmin and AnyDesk to manage systems remotely. This widespread use of open and accessible tools makes their attacks less visible in the initial stages and makes them more difficult to track.
Studies have shown that the attacks of both groups follow the same scenarios: the malware is hosted in the same network directories, and the execution is carried out using a task scheduler. In addition to this, the methods of hiding traces, such as clearing event logs using PowerShell, are also identical for both groups.
Despite attempts to position their actions as financially motivated attacks, Twelve and BlackJack are rather aimed at destroying the IT environments of the affected organizations as much as possible.
Source
