In a startling revelation, cybersecurity firm Kaspersky has reported a significant collaboration between two notorious threat clusters, Head Mare and Twelve, targeting Russian entities. The collaboration signals a new phase of cyber warfare, leveraging sophisticated tools and techniques to breach and compromise both state and private infrastructures. This article delves into the various methods employed by these clusters, their targets, and the potential implications for cybersecurity in Russia.
Head Mare’s Collaborative Offensive
Head Mare has been in the spotlight since September last year for exploiting a now-patched WinRAR vulnerability (CVE-2023-38831) to deliver malware and ransomware, including LockBit for Windows and Babuk for Linux. Recently, Kaspersky’s analysis unearthed that Head Mare has adopted tools and command-and-control (C2) servers previously associated with Twelve. This strategic move suggests a coordinated campaign aimed at Russian targets, employing both malware distribution and infrastructure destruction.
Head Mare’s recent offensive operations have included deploying new tools such as CobInt, a backdoor that has been used in past attacks on Russian firms, and a customized implant named PhantomJitter for remote command execution. This development aligns with Twelve’s historic use of destructive tactics, including data encryption and the deployment of wipers to obliterate victims’ infrastructure. The tactical overlap between Head Mare, Twelve, and another group, Crypt Ghouls, indicates that these threat actors are sharing resources and strategies to maximize their impact.
Both clusters have exploited vulnerabilities in Microsoft Exchange Server, like ProxyLogon (CVE-2021-26855), to gain initial access. Additionally, Head Mare has used phishing emails with rogue attachments to infiltrate networks. Once inside, they have targeted contractors’ networks to compromise critical infrastructures, employing a technique known as a trusted relationship attack. By leveraging ProxyLogon, they executed commands to download and run CobInt on servers, establishing long-term persistence via privileged local user accounts on automation platform servers. These accounts facilitated remote desktop protocol (RDP) connections to transfer and execute malicious tools covertly.
Techniques and Evasion Strategies
The attackers have demonstrated remarkable ingenuity in evading detection. They disguised malicious payloads to resemble legitimate operating system files and meticulously cleared event logs to cover their tracks. Network traffic was concealed using proxy and tunneling tools like Gost and Cloudflared, ensuring that their activities remained under the radar. Their reconnaissance arsenal included quser.exe, tasklist.exe, and netstat.exe, while credential harvesting was accomplished with tools such as Mimikatz, secretsdump, and ProcDump.
For lateral movement within compromised networks, the attackers relied on RDP. They communicated with remote hosts using various tools like mRemoteNG, smbexec, wmiexec, PAExec, and PsExec. Data exfiltration was facilitated via Rclone, a robust tool designed for cloud storage management. The attacks often culminated in the deployment of ransomware like LockBit 3.0 and Babuk, with victims receiving notes instructing them to contact the attackers on Telegram for decryption keys.
Kaspersky noted that Head Mare’s toolkit is expanding, and its collaboration with Twelve underscores a significant elevation in the cyber threat landscape. This joint effort has successfully targeted both state-run and privately-owned enterprises in Russia, indicating a broad and indiscriminate approach to their cyber warfare tactics.
Additional Threat Actors and Campaigns
Adding another layer of complexity to the cyber threat landscape, BI.ZONE has linked the North Korean-associated threat actor ScarCruft to a phishing campaign last December targeting an unnamed Russian industrial entity. This campaign delivered a malware loader from a remote server, closely resembling another campaign dubbed SHROUDED#SLEEP, documented by cybersecurity firm Securonix. These findings suggest that multiple threat actors with diverse motivations and backgrounds are converging on Russian targets, significantly complicating defense efforts.
Moreover, BI.ZONE also highlighted ongoing cyber attacks by another group known as Bloody Wolf, which has compromised over 400 systems in Kazakhstan and Russia using the NetSupport RAT. This series of attacks further emphasizes the increasing aggressiveness and sophistication of threat actors targeting the region, as well as the dire need for heightened cybersecurity measures.
Evolving Cyber Threat Landscape
In a surprising development, cybersecurity firm Kaspersky has unveiled a significant collaboration between two well-known threat clusters, Head Mare and Twelve, aimed at Russian targets. This alliance marks a new chapter in cyber warfare, utilizing advanced tools and techniques to infiltrate and compromise both government and private sector infrastructures. The article explores the various tactics employed by these criminal groups, their chosen targets, and the potential ramifications for cybersecurity in Russia. The discovery of this cooperation between Head Mare and Twelve suggests a heightened level of sophistication and coordination in cyber attacks, raising concerns about the ability of Russian cybersecurity defenses to withstand such threats. This development could lead to an escalation in both the frequency and severity of cyber attacks on Russian entities, requiring enhanced vigilance and improved defense measures. The cooperation between these clusters may also indicate a trend toward more collaborative efforts among cybercriminals globally, posing a broader challenge for international cybersecurity efforts.