Twelve

Twelve is a hacktivist threat actor formed in April 2023 in the context of the Russian-Ukrainian conflict. The group has primarily targeted Russian government organizations and other Russian entities, and is characterized in the reporting as destructive rather than profit-driven. Its stated pattern is to exfiltrate sensitive data, publicize compromises on Telegram, encrypt systems, and then deploy wiping functionality to maximize operational damage and hinder recovery. Observed Twelve intrusions commonly begin through valid local or domain accounts, or stolen VPN/SSH certificates, including access obtained by first compromising contractors and then using contractor certificates to reach customer VPNs. The group has also been linked to exploitation of VMware vSphere/vCenter vulnerabilities CVE-2021-21972 and CVE-2021-22005 to deploy PHP web shells and the FaceFish backdoor on vCenter servers. For command and control, persistence, and post-exploitation, Twelve has used largely public tooling including Cobalt Strike, mimikatz, chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, PsExec, PowerShell, RDP, and ngrok. Reporting also describes PHP web shells in Bitrix-related directories, Active Directory manipulation via PowerShell and net.exe, scheduled tasks and Group Policy abuse for domain-wide malware deployment, and defense evasion through masquerading, event log clearing, and artifact cleanup. For credential access and reconnaissance, Twelve has used mimikatz, registry hive dumping, ntdsutil.exe, XenArmor All-In-One Password Recovery Pro, Advanced IP Scanner, BloodHound, adPEAS, and PowerView. For exfiltration, the group has collected financial documents, technical drawings, corporate email, and Telegram Desktop session data, archived data with 7z, and uploaded it to DropMeFiles before posting stolen information to its Telegram channel. For impact, Twelve has used LockBit 3.0 variants compiled from publicly available source code, as well as Chaos-based ransomware samples linked through static analysis. Reporting states the ransom notes lacked contact information and contained only the group logo, reinforcing the assessment that sabotage and reputational damage are prioritized over monetization. Twelve has also deployed Shamoon-like wipers compiled from public source code; these overwrite the MBR, recursively corrupt and delete files, self-delete, and shut down systems. Wipers and ransomware were distributed via netlogon shares, PowerShell, Group Policy, and scheduled tasks. Known aliases in the provided content are limited to Twelve. The reporting also notes overlaps in infrastructure, tooling, and TTPs with DARKSTAR, formerly known as Shadow or COMET, suggesting they may belong to the same syndicate or activity cluster, although DARKSTAR is described as following a classic double-extortion model while Twelve is framed as hacktivist. Additional reporting identifies substantial overlaps and likely cooperation or tool sharing between Twelve and other Russia-targeting clusters including Head Mare, Crypt Ghouls, MorLock, BlackJack, and Shedding Zmiy (aka ExCobalt).