Are Russian Entities Facing Joint Cyber Attacks from Head Mare and Twelve?

Article Highlights
Off On

In a startling revelation, cybersecurity firm Kaspersky has reported a significant collaboration between two notorious threat clusters, Head Mare and Twelve, targeting Russian entities. The collaboration signals a new phase of cyber warfare, leveraging sophisticated tools and techniques to breach and compromise both state and private infrastructures. This article delves into the various methods employed by these clusters, their targets, and the potential implications for cybersecurity in Russia.

Head Mare’s Collaborative Offensive

Head Mare has been in the spotlight since September last year for exploiting a now-patched WinRAR vulnerability (CVE-2023-38831) to deliver malware and ransomware, including LockBit for Windows and Babuk for Linux. Recently, Kaspersky’s analysis unearthed that Head Mare has adopted tools and command-and-control (C2) servers previously associated with Twelve. This strategic move suggests a coordinated campaign aimed at Russian targets, employing both malware distribution and infrastructure destruction.

Head Mare’s recent offensive operations have included deploying new tools such as CobInt, a backdoor that has been used in past attacks on Russian firms, and a customized implant named PhantomJitter for remote command execution. This development aligns with Twelve’s historic use of destructive tactics, including data encryption and the deployment of wipers to obliterate victims’ infrastructure. The tactical overlap between Head Mare, Twelve, and another group, Crypt Ghouls, indicates that these threat actors are sharing resources and strategies to maximize their impact.

Both clusters have exploited vulnerabilities in Microsoft Exchange Server, like ProxyLogon (CVE-2021-26855), to gain initial access. Additionally, Head Mare has used phishing emails with rogue attachments to infiltrate networks. Once inside, they have targeted contractors’ networks to compromise critical infrastructures, employing a technique known as a trusted relationship attack. By leveraging ProxyLogon, they executed commands to download and run CobInt on servers, establishing long-term persistence via privileged local user accounts on automation platform servers. These accounts facilitated remote desktop protocol (RDP) connections to transfer and execute malicious tools covertly.

Techniques and Evasion Strategies

The attackers have demonstrated remarkable ingenuity in evading detection. They disguised malicious payloads to resemble legitimate operating system files and meticulously cleared event logs to cover their tracks. Network traffic was concealed using proxy and tunneling tools like Gost and Cloudflared, ensuring that their activities remained under the radar. Their reconnaissance arsenal included quser.exe, tasklist.exe, and netstat.exe, while credential harvesting was accomplished with tools such as Mimikatz, secretsdump, and ProcDump.

For lateral movement within compromised networks, the attackers relied on RDP. They communicated with remote hosts using various tools like mRemoteNG, smbexec, wmiexec, PAExec, and PsExec. Data exfiltration was facilitated via Rclone, a robust tool designed for cloud storage management. The attacks often culminated in the deployment of ransomware like LockBit 3.0 and Babuk, with victims receiving notes instructing them to contact the attackers on Telegram for decryption keys.

Kaspersky noted that Head Mare’s toolkit is expanding, and its collaboration with Twelve underscores a significant elevation in the cyber threat landscape. This joint effort has successfully targeted both state-run and privately-owned enterprises in Russia, indicating a broad and indiscriminate approach to their cyber warfare tactics.

Additional Threat Actors and Campaigns

Adding another layer of complexity to the cyber threat landscape, BI.ZONE has linked the North Korean-associated threat actor ScarCruft to a phishing campaign last December targeting an unnamed Russian industrial entity. This campaign delivered a malware loader from a remote server, closely resembling another campaign dubbed SHROUDED#SLEEP, documented by cybersecurity firm Securonix. These findings suggest that multiple threat actors with diverse motivations and backgrounds are converging on Russian targets, significantly complicating defense efforts.

Moreover, BI.ZONE also highlighted ongoing cyber attacks by another group known as Bloody Wolf, which has compromised over 400 systems in Kazakhstan and Russia using the NetSupport RAT. This series of attacks further emphasizes the increasing aggressiveness and sophistication of threat actors targeting the region, as well as the dire need for heightened cybersecurity measures.

Evolving Cyber Threat Landscape

In a surprising development, cybersecurity firm Kaspersky has unveiled a significant collaboration between two well-known threat clusters, Head Mare and Twelve, aimed at Russian targets. This alliance marks a new chapter in cyber warfare, utilizing advanced tools and techniques to infiltrate and compromise both government and private sector infrastructures. The article explores the various tactics employed by these criminal groups, their chosen targets, and the potential ramifications for cybersecurity in Russia. The discovery of this cooperation between Head Mare and Twelve suggests a heightened level of sophistication and coordination in cyber attacks, raising concerns about the ability of Russian cybersecurity defenses to withstand such threats. This development could lead to an escalation in both the frequency and severity of cyber attacks on Russian entities, requiring enhanced vigilance and improved defense measures. The cooperation between these clusters may also indicate a trend toward more collaborative efforts among cybercriminals globally, posing a broader challenge for international cybersecurity efforts.

Explore more

Business Central Mobile Apps Transform Operations On-the-Go

In an era where business agility defines success, the ability to manage operations from any location has become a critical advantage for companies striving to stay ahead of the curve, and Microsoft Dynamics 365 Business Central mobile apps are at the forefront of this shift. These apps redefine how organizations handle essential tasks like finance, sales, and inventory management by

Transparency Key to Solving D365 Pricing Challenges

Understanding the Dynamics 365 Landscape Imagine a business world where operational efficiency hinges on a single, powerful tool, yet many enterprises struggle to harness its full potential due to unforeseen hurdles. Microsoft Dynamics 365 (D365), a leading enterprise resource planning (ERP) and customer relationship management (CRM) solution, stands as a cornerstone for medium to large organizations aiming to integrate and

Generative AI Transforms Finance with Automation and Strategy

This how-to guide aims to equip finance professionals, particularly chief financial officers (CFOs) and their teams, with actionable insights on leveraging generative AI to revolutionize their operations. By following the steps outlined, readers will learn how to automate routine tasks, enhance strategic decision-making, and position their organizations for competitive advantage in a rapidly evolving industry. The purpose of this guide

How Is Tech Revolutionizing Traditional Payroll Systems?

In an era where adaptability defines business success, the payroll landscape is experiencing a profound transformation driven by technological innovation, reshaping how companies manage compensation. For decades, businesses relied on rigid monthly or weekly pay cycles that often failed to align with the diverse needs of employees or the dynamic nature of modern enterprises. Today, however, a wave of cutting-edge

Why Is Employee Career Development a Business Imperative?

Setting the Stage for a Critical Business Priority Imagine a workplace where top talent consistently leaves for better opportunities, costing millions in turnover while productivity stagnates due to outdated skills. This scenario is not a distant possibility but a reality for many organizations that overlook employee career development. In an era of rapid technological change and fierce competition for skilled