Cybersecurity experts have uncovered a significant connection between hacktivist groups BlackJack and Twelve through overlapping tactics, techniques, and procedures (TTPs).
This discovery illuminates the sophisticated methods employed by these groups and raises questions about their potential collaboration or shared objectives.
The findings reveal shared tools, malware, and similar attack patterns targeting Russian organizations.
This article delves into the details of the investigation, exploring the implications of these connections and what they mean for cybersecurity defenses.
Who are BlackJack and Twelve?
BlackJack
BlackJack emerged at the end of 2023 as a hacktivist group targeting Russian companies and government institutions.
Their stated goal, as communicated via their Telegram channel, is to exploit vulnerabilities within Russian networks.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool:
By June 2024, BlackJack had claimed responsibility for over a dozen attacks, with additional unpublicized incidents suggesting their involvement.
The group relies on freely available and open-source software, such as the SSH client PuTTY and the wiper Shamoon, indicating a lack of resources typical of more sophisticated APT groups.
Twelve
The Twelve group shares many similarities with BlackJack regarding tools and targets. Like BlackJack, Twelve utilizes publicly available software for attacks, avoiding proprietary tools.
The overlap between these two groups was discovered through Kaspersky Security Network (KSN) telemetry and Kaspersky Threat Intelligence solutions, revealing shared malware samples and attack methodologies.
Overlapping Tactics and Tools
According to the SecureList report, both BlackJack and Twelve have been found using similar versions of the Shamoon wiper and LockBit ransomware.
The Shamoon wiper used by BlackJack is written in Go, while Twelve’s version also exhibits similar characteristics. These malware samples were found in identical directories across different attacks:
- Sysvoldomainscripts
- $$DOMAIN]netlogon
- C:ProgramData
These specific directories allow attackers to spread malware efficiently across victim infrastructures.
Remote Access Tools
Both groups employ remote access tools (RATs) to maintain persistent access to compromised systems.
BlackJack initially attempted to use Radmin but ultimately relied on AnyDesk for external connections. Similarly, Twelve uses tools like PuTTY for SSH connections within targeted infrastructures.
Shared Commands and Procedures
The investigation revealed identical commands used by both groups for creating scheduled tasks and clearing event logs.
These commands highlight a systematic approach to executing attacks while maintaining stealth:
# Scheduled Task Creation
reg:\REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{ID}:Actions","`powershell.exe` Copy-Item `\[DOMAIN]netlogonbj.exe` -Destination `C:ProgramData`
# Clearing Event Logs
powershell -command wevtutil el | Foreach-Object {Write-Host Clearing $_; wevtutil cl $_}
The significant overlap in TTPs between BlackJack and Twelve suggests collaboration or a shared objective against Russian targets.
While direct attribution remains challenging, the similarities in malware samples, attack methodologies, and target selection point towards a unified cluster of hacktivist activity.
Impact on Targeted Organizations
These groups’ activities have primarily affected Russia’s government, telecommunications, and industrial sectors.
Their attacks focus on causing maximum damage by encrypting, deleting, and stealing data rather than seeking financial gain.
The discovery of overlapping TTPs between BlackJack and Twelve underscores the evolving landscape of cyber threats posed by hacktivist groups.
Organizations must bolster their cybersecurity defenses to mitigate potential risks as these groups continue to refine their methods and collaborate on tactics.
Understanding the connections between seemingly disparate threat actors can provide valuable insights into their strategies and help develop more effective countermeasures.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats ->