Are Russian Entities Facing Joint Cyber Attacks from Head Mare and Twelve?

Article Highlights
Off On

In a startling revelation, cybersecurity firm Kaspersky has reported a significant collaboration between two notorious threat clusters, Head Mare and Twelve, targeting Russian entities. The collaboration signals a new phase of cyber warfare, leveraging sophisticated tools and techniques to breach and compromise both state and private infrastructures. This article delves into the various methods employed by these clusters, their targets, and the potential implications for cybersecurity in Russia.

Head Mare’s Collaborative Offensive

Head Mare has been in the spotlight since September last year for exploiting a now-patched WinRAR vulnerability (CVE-2023-38831) to deliver malware and ransomware, including LockBit for Windows and Babuk for Linux. Recently, Kaspersky’s analysis unearthed that Head Mare has adopted tools and command-and-control (C2) servers previously associated with Twelve. This strategic move suggests a coordinated campaign aimed at Russian targets, employing both malware distribution and infrastructure destruction.

Head Mare’s recent offensive operations have included deploying new tools such as CobInt, a backdoor that has been used in past attacks on Russian firms, and a customized implant named PhantomJitter for remote command execution. This development aligns with Twelve’s historic use of destructive tactics, including data encryption and the deployment of wipers to obliterate victims’ infrastructure. The tactical overlap between Head Mare, Twelve, and another group, Crypt Ghouls, indicates that these threat actors are sharing resources and strategies to maximize their impact.

Both clusters have exploited vulnerabilities in Microsoft Exchange Server, like ProxyLogon (CVE-2021-26855), to gain initial access. Additionally, Head Mare has used phishing emails with rogue attachments to infiltrate networks. Once inside, they have targeted contractors’ networks to compromise critical infrastructures, employing a technique known as a trusted relationship attack. By leveraging ProxyLogon, they executed commands to download and run CobInt on servers, establishing long-term persistence via privileged local user accounts on automation platform servers. These accounts facilitated remote desktop protocol (RDP) connections to transfer and execute malicious tools covertly.

Techniques and Evasion Strategies

The attackers have demonstrated remarkable ingenuity in evading detection. They disguised malicious payloads to resemble legitimate operating system files and meticulously cleared event logs to cover their tracks. Network traffic was concealed using proxy and tunneling tools like Gost and Cloudflared, ensuring that their activities remained under the radar. Their reconnaissance arsenal included quser.exe, tasklist.exe, and netstat.exe, while credential harvesting was accomplished with tools such as Mimikatz, secretsdump, and ProcDump.

For lateral movement within compromised networks, the attackers relied on RDP. They communicated with remote hosts using various tools like mRemoteNG, smbexec, wmiexec, PAExec, and PsExec. Data exfiltration was facilitated via Rclone, a robust tool designed for cloud storage management. The attacks often culminated in the deployment of ransomware like LockBit 3.0 and Babuk, with victims receiving notes instructing them to contact the attackers on Telegram for decryption keys.

Kaspersky noted that Head Mare’s toolkit is expanding, and its collaboration with Twelve underscores a significant elevation in the cyber threat landscape. This joint effort has successfully targeted both state-run and privately-owned enterprises in Russia, indicating a broad and indiscriminate approach to their cyber warfare tactics.

Additional Threat Actors and Campaigns

Adding another layer of complexity to the cyber threat landscape, BI.ZONE has linked the North Korean-associated threat actor ScarCruft to a phishing campaign last December targeting an unnamed Russian industrial entity. This campaign delivered a malware loader from a remote server, closely resembling another campaign dubbed SHROUDED#SLEEP, documented by cybersecurity firm Securonix. These findings suggest that multiple threat actors with diverse motivations and backgrounds are converging on Russian targets, significantly complicating defense efforts.

Moreover, BI.ZONE also highlighted ongoing cyber attacks by another group known as Bloody Wolf, which has compromised over 400 systems in Kazakhstan and Russia using the NetSupport RAT. This series of attacks further emphasizes the increasing aggressiveness and sophistication of threat actors targeting the region, as well as the dire need for heightened cybersecurity measures.

Evolving Cyber Threat Landscape

In a surprising development, cybersecurity firm Kaspersky has unveiled a significant collaboration between two well-known threat clusters, Head Mare and Twelve, aimed at Russian targets. This alliance marks a new chapter in cyber warfare, utilizing advanced tools and techniques to infiltrate and compromise both government and private sector infrastructures. The article explores the various tactics employed by these criminal groups, their chosen targets, and the potential ramifications for cybersecurity in Russia. The discovery of this cooperation between Head Mare and Twelve suggests a heightened level of sophistication and coordination in cyber attacks, raising concerns about the ability of Russian cybersecurity defenses to withstand such threats. This development could lead to an escalation in both the frequency and severity of cyber attacks on Russian entities, requiring enhanced vigilance and improved defense measures. The cooperation between these clusters may also indicate a trend toward more collaborative efforts among cybercriminals globally, posing a broader challenge for international cybersecurity efforts.

Explore more

Companies Can Prevent Bad AI Hires by Measuring True Fluency

Organizations across the global marketplace are currently grappling with an unprecedented urgency to demonstrate sophisticated artificial intelligence capabilities to their demanding boards and expectant investors. This intense pressure has transformed AI fluency from a specialized technical niche into a mandatory prerequisite for nearly ninety-five percent of organizations operating today. However, the rush to secure talent has led to a paradoxical

Can RPA Balance Healthcare Efficiency With Patient Care?

The modern medical landscape is currently defined by a paradoxical struggle where advanced clinical innovations are often overshadowed by the sheer volume of clerical work required to sustain them. Doctors today spend a staggering amount of their shifts staring at glowing screens rather than engaging with the human beings sitting in the examination rooms. When a physician spends more time

How Is BlackRock Dominating the Tokenized Asset Market?

BlackRock’s strategic deployment of the USD Institutional Digital Liquidity Fund has fundamentally reshaped the landscape of global finance by successfully bridging the gap between traditional banking and decentralized ledgers. This initiative, widely recognized as BUIDL, represents a pivot from the speculative nature of early cryptocurrency markets toward the practical utility of high-grade financial instruments. By 2026, the institutional narrative has

How Can Lagos State Combat Workplace Harassment?

The rapidly evolving commercial landscape of Lagos State, often characterized by its relentless pace and high-stakes corporate environment, currently faces a critical reckoning as reports of workplace harassment continue to surface across various sectors. This phenomenon is not merely a social grievance but a significant barrier to economic productivity and employee retention in Africa’s largest subnational economy. As the city

Microsoft Refines Windows 11 Design With K2 Initiative

The traditional desktop environment is undergoing a fundamental transformation as Microsoft addresses long-standing visual inconsistencies through its ambitious internal project known as the K2 Initiative. This effort represents a significant shift from the piecemeal updates seen in previous years toward a holistic overhaul of the operating system’s aesthetic and functional layers. By prioritizing a more cohesive user experience, developers worked