In September 2024, a series of cyberattacks targeted Russian companies, revealing a concerning evolution in hacktivist tactics. Two groups—Head Mare and Twelve—were identified as the perpetrators, with evidence suggesting potential collaboration between them. This article delves into the background, methodologies, and implications of these attacks, highlighting the need for enhanced cybersecurity measures.

Background Information

Head Mare and Twelve are hacktivist groups known for their politically motivated cyber activities. Head Mare has previously targeted Russian entities, employing various tools and techniques to infiltrate systems. Twelve, formed in April 2023 amid the Russo-Ukrainian conflict, has been observed conducting destructive attacks aimed at disrupting operations and destroying critical infrastructure without seeking financial gain. (thehackernews.com)

Analysis of the Attacks

Recent investigations have uncovered significant overlaps in the tactics, techniques, and procedures (TTPs) employed by both groups, indicating a possible collaboration:

  • Shared Tools and Infrastructure: Head Mare utilized tools previously associated with Twelve, such as the CobInt backdoor and command-and-control (C2) servers linked exclusively to Twelve. (securelist.com)
  • Initial Access Methods: Both groups exploited known vulnerabilities, including CVE-2023-38831 in WinRAR and CVE-2021-26855 in Microsoft Exchange Server (ProxyLogon), to gain unauthorized access. (thehackernews.com)
  • Persistence Mechanisms: They established persistence by creating privileged local users and deploying traffic tunneling tools like Localtonet and cloudflared, facilitating continuous access to compromised systems. (securelist.com)
  • Anti-Detection Techniques: The attackers employed masquerading techniques, renaming malicious executables to mimic legitimate system files, and cleared event logs to evade detection. (securelist.com)

Implications and Impact

The collaboration between Head Mare and Twelve signifies a concerning trend in cyber threats:

  • Increased Sophistication: The use of advanced tools and coordinated tactics enhances the effectiveness of cyberattacks, making detection and mitigation more challenging.
  • Targeted Industries: The attacks primarily targeted sectors such as manufacturing, government, and energy, aiming to disrupt critical infrastructure and operations. (blog.netmanageit.com)
  • Geopolitical Motivations: The attacks underscore the intersection of cyber activities with geopolitical conflicts, where cyber operations are employed as tools of political expression and disruption.

Technical Details

The attackers' toolkit included a mix of publicly available and proprietary tools:

  • Credential Harvesting: Tools like Mimikatz and secretsdump were used to extract credentials from compromised systems.
  • Network Reconnaissance: Utilities such as fscan and SoftPerfect Network Scanner facilitated mapping of the network infrastructure.
  • Lateral Movement: RDP and tools like PsExec enabled movement across networks to access additional systems.
  • Data Exfiltration and Encryption: Rclone was employed for data transfer, while ransomware variants like LockBit 3.0 and Babuk were used to encrypt data, rendering it inaccessible. (securelist.com)

Conclusion

The joint attacks by Head Mare and Twelve highlight the evolving nature of cyber threats, where hacktivist groups are increasingly collaborating to amplify their impact. Organizations must adopt a proactive approach to cybersecurity, implementing robust defense mechanisms, regular system updates, and comprehensive monitoring to detect and respond to such sophisticated threats.