The Twelve group, active since April 2023, targets Russian government entities, employing techniques like encrypting and deleting victims' data to cause maximum damage. They also exfiltrate sensitive information and share it on Telegram. The group shares tools and techniques with DARKSTAR ransomware group
Through the Unified Kill Chain analysis, their attacks include initial access through contractors, exploitation using web shells like FaceFish backdoor, and persistence using PowerShell. The group uses ngrok for pivoting, tools like Advanced IP Scanner and BloodHound for discovery, and mimikatz for credential access. The adversaries evade detection by creating tasks, disguising malware, and clearing event logs. They utilize Cobalt Strike, PowerShell scripts, and PsExec for lateral movement. Their ultimate objectives involve collecting and exfiltrating sensitive data, using ransomware like LockBit 3.0, and deploying wipers. The final objective includes destroying critical assets, stealing data, discrediting victims on Telegram, and causing widespread impact. ```https://securelist.com/twelve-group-unified-kill-chain/113877/