Are Russian Entities Facing Joint Cyber Attacks from Head Mare and Twelve?

Article Highlights
Off On

In a startling revelation, cybersecurity firm Kaspersky has reported a significant collaboration between two notorious threat clusters, Head Mare and Twelve, targeting Russian entities. The collaboration signals a new phase of cyber warfare, leveraging sophisticated tools and techniques to breach and compromise both state and private infrastructures. This article delves into the various methods employed by these clusters, their targets, and the potential implications for cybersecurity in Russia.

Head Mare’s Collaborative Offensive

Head Mare has been in the spotlight since September last year for exploiting a now-patched WinRAR vulnerability (CVE-2023-38831) to deliver malware and ransomware, including LockBit for Windows and Babuk for Linux. Recently, Kaspersky’s analysis unearthed that Head Mare has adopted tools and command-and-control (C2) servers previously associated with Twelve. This strategic move suggests a coordinated campaign aimed at Russian targets, employing both malware distribution and infrastructure destruction.

Head Mare’s recent offensive operations have included deploying new tools such as CobInt, a backdoor that has been used in past attacks on Russian firms, and a customized implant named PhantomJitter for remote command execution. This development aligns with Twelve’s historic use of destructive tactics, including data encryption and the deployment of wipers to obliterate victims’ infrastructure. The tactical overlap between Head Mare, Twelve, and another group, Crypt Ghouls, indicates that these threat actors are sharing resources and strategies to maximize their impact.

Both clusters have exploited vulnerabilities in Microsoft Exchange Server, like ProxyLogon (CVE-2021-26855), to gain initial access. Additionally, Head Mare has used phishing emails with rogue attachments to infiltrate networks. Once inside, they have targeted contractors’ networks to compromise critical infrastructures, employing a technique known as a trusted relationship attack. By leveraging ProxyLogon, they executed commands to download and run CobInt on servers, establishing long-term persistence via privileged local user accounts on automation platform servers. These accounts facilitated remote desktop protocol (RDP) connections to transfer and execute malicious tools covertly.

Techniques and Evasion Strategies

The attackers have demonstrated remarkable ingenuity in evading detection. They disguised malicious payloads to resemble legitimate operating system files and meticulously cleared event logs to cover their tracks. Network traffic was concealed using proxy and tunneling tools like Gost and Cloudflared, ensuring that their activities remained under the radar. Their reconnaissance arsenal included quser.exe, tasklist.exe, and netstat.exe, while credential harvesting was accomplished with tools such as Mimikatz, secretsdump, and ProcDump.

For lateral movement within compromised networks, the attackers relied on RDP. They communicated with remote hosts using various tools like mRemoteNG, smbexec, wmiexec, PAExec, and PsExec. Data exfiltration was facilitated via Rclone, a robust tool designed for cloud storage management. The attacks often culminated in the deployment of ransomware like LockBit 3.0 and Babuk, with victims receiving notes instructing them to contact the attackers on Telegram for decryption keys.

Kaspersky noted that Head Mare’s toolkit is expanding, and its collaboration with Twelve underscores a significant elevation in the cyber threat landscape. This joint effort has successfully targeted both state-run and privately-owned enterprises in Russia, indicating a broad and indiscriminate approach to their cyber warfare tactics.

Additional Threat Actors and Campaigns

Adding another layer of complexity to the cyber threat landscape, BI.ZONE has linked the North Korean-associated threat actor ScarCruft to a phishing campaign last December targeting an unnamed Russian industrial entity. This campaign delivered a malware loader from a remote server, closely resembling another campaign dubbed SHROUDED#SLEEP, documented by cybersecurity firm Securonix. These findings suggest that multiple threat actors with diverse motivations and backgrounds are converging on Russian targets, significantly complicating defense efforts.

Moreover, BI.ZONE also highlighted ongoing cyber attacks by another group known as Bloody Wolf, which has compromised over 400 systems in Kazakhstan and Russia using the NetSupport RAT. This series of attacks further emphasizes the increasing aggressiveness and sophistication of threat actors targeting the region, as well as the dire need for heightened cybersecurity measures.

Evolving Cyber Threat Landscape

In a surprising development, cybersecurity firm Kaspersky has unveiled a significant collaboration between two well-known threat clusters, Head Mare and Twelve, aimed at Russian targets. This alliance marks a new chapter in cyber warfare, utilizing advanced tools and techniques to infiltrate and compromise both government and private sector infrastructures. The article explores the various tactics employed by these criminal groups, their chosen targets, and the potential ramifications for cybersecurity in Russia. The discovery of this cooperation between Head Mare and Twelve suggests a heightened level of sophistication and coordination in cyber attacks, raising concerns about the ability of Russian cybersecurity defenses to withstand such threats. This development could lead to an escalation in both the frequency and severity of cyber attacks on Russian entities, requiring enhanced vigilance and improved defense measures. The cooperation between these clusters may also indicate a trend toward more collaborative efforts among cybercriminals globally, posing a broader challenge for international cybersecurity efforts.

Explore more

Vivo X Fold 6 – Review

The arrival of the Vivo X Fold 6 marks a pivotal moment where foldable devices transcend their status as fragile novelties to become the primary choice for power users. This transition represents a significant advancement in the mobile sector, pushing the boundaries of what a single handset can accomplish. By merging a book-style form factor with the raw performance of

Oppo Reno16 Series – Review

The modern smartphone market has reached a peculiar crossroads where the distinction between mid-range utility and flagship luxury is no longer defined by features but by the audacity of a manufacturer’s pricing strategy. Traditional product cycles often prioritize incremental updates, but this latest iteration signals a departure from conservative engineering. By integrating components usually reserved for the highest echelon of

AI Adoption Fails Without Proper Workforce Readiness

Ling-yi Tsai is a formidable force in the HRTech sector, possessing decades of experience guiding global organizations through the complex labyrinth of digital evolution. Her mastery of HR analytics and her tactical approach to integrating technology across recruitment and talent management have made her a sought-after advisor for companies looking to bridge the gap between human potential and machine efficiency.

The Human Infrastructure Powering Artificial Intelligence

The seamless flicker of a chatbot’s reply or the effortless lane change of a driverless vehicle often masks a vast, invisible network of human cognitive labor that makes such digital grace possible. While the marketing of advanced technology frequently paints a picture of silicon brains evolving in isolation, the underlying reality is a global assembly line of human intelligence. Every

Bruce Clay Leaves a Lasting Legacy as the Father of SEO

The Architect of an Industry and the Importance of Digital Frameworks The digital landscape we navigate today was not born out of thin air but was meticulously shaped by a few visionary thinkers who saw the potential of the internet long before it became a global marketplace. Among these pioneers, Bruce Clay stood as a singular figure whose influence spanned