According to research by Kaspersky Laboratory, it has been revealed that two Hactivist groups, Twelve and Blackjack, may be operating within the same organization structure. These groups were first identified in late 2023 when they started targeting companies based in Russia. While the hackers claim their actions are financially motivated, their primary goals seem to be centered around data theft and the destruction of IT infrastructure.
One of the groups, Blackjack, utilizes publicly available software like the Putty SSH client in their attacks. Additionally, they have accessed and deployed the Wiper Shamoon tool, indicating limited resources compared to larger cyber groups. Blackjack also uses the Lockbit code, based on leaked source code, and the NGROK tunneling tool to maintain continuous access to infected systems.
Both Twelve and Blackjack employ legitimate tools such as Radmin and Anydesk for remote system management, alongside malicious software. This blending of open and affordable tools helps to make their attacks less detectable in the initial stages, complicating tracking efforts.
Research has shown that the attack patterns of both groups are similar, with malware placed in network directories and launched using the task scheduler. Furthermore, methods used to cover their tracks, like event log cleaning with PowerShell, are also identical between the two groups.
Despite claims of financial motivation, it appears that the primary objective of Twelve and Blackjack is the widespread destruction of IT infrastructure within the organizations they target.