From initial compromise to ransomware and wipers
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
The Twelve group, formed in April 2023 amid the Russian-Ukrainian conflict, specializes in attacking Russian government organizations. Their attacks involve encrypting and deleting victims' data, causing maximum damage without seeking financial gain. The group uses publicly available tools like Cobalt Strike, mimikatz, and PowerShell scripts for initial access, lateral movement, and privilege escalation. They employ LockBit 3.0 ransomware and Shamoon-based wipers to destroy infrastructures. Twelve exfiltrates sensitive data and posts it on Telegram. The group shares infrastructure with DARKSTAR, suggesting a possible syndicate. Their primary objectives are to destroy critical assets, disrupt business, steal sensitive data, and discredit victims.
OPENCTI LABELS :
cobalt strike,chaos,facefish,lockbit 3.0,shamoon
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
From initial compromise to ransomware and wipers