In September 2024, cyber attacks targeting Russian companies were conducted by two hacktivist groups, Head Mare and Twelve, revealing overlapping tactics, tools, and infrastructure. Analysis suggests collaboration between the groups, particularly as Head Mare has begun using tactics and tools, such as the CobInt backdoor, previously associated only with Twelve. The investigation emphasizes the evolution of Head Mare’s methods, incorporating both familiar and new tools, including PowerShell-based applications.
Head Mare’s Toolkit
Head Mare employed a variety of publicly available and proprietary tools for their operations. Noteworthy among these are:
- Mimikatz and ADRecon for credential extraction and directory reconnaissance.
- CobInt for backdoor operations, which aligns with prior Twelve attacks.
- Newly introduced tools included a custom backdoor, PhantomJitter, established in August 2024, and a new remote command execution tool targeting business automation servers.
Initial Access Techniques
Head Mare’s initial access strategy evolved from solely phishing emails to leveraging compromised contractors with RDP connections and exploiting software vulnerabilities—most notably, the CVE-2023-38831 WinRAR vulnerability and the Microsoft Exchange CVE-2021-26855 (“ProxyLogon”). This reflects a trend among hacktivists in utilizing trusted relationships for infiltration.
Persistence Mechanisms
To maintain access, attackers created new privileged local accounts on compromised servers rather than relying on scheduled tasks. They employed tools like Localtonet and managed persistence using the Non-Sucking Service Manager (NSSM), which ensures their tools remain operational and can recover from failures.
Anti-Detection Tactics
Head Mare continued to employ masquerading techniques to avoid detection, renaming malicious executables to mimic legitimate OS files. They also implemented log-clearing commands to erase traces of their activities.
Command and Control Infrastructure
Post-infiltration, Head Mare downloaded tools like PhantomJitter from designated URLs. The backdoor allowed attackers to connect to their command-and-control (C2) servers to execute commands remotely. The script used by attackers facilitated the installation and configuration of tunneling tools like Cloudflared and Gost for secure communications.
Reconnaissance Activities
For internal reconnaissance, attackers utilized various tools, including SoftPerfect Network Scanner and ADRecon, to gather extensive information about the network and its users.
Exploitation and Lateral Movement
Exploiting previously compromised accounts, attackers escalated privileges and executed commands via RDP and SSH. They utilized tools such as PsExec and smbexec for spreading across the network and gathering credentials.
Data Collection and Exfiltration
Head Mare introduced rclone.exe, disguised as a legitimate Windows update process, to facilitate data transfer from hosts to a remote SFTP server. This was used to exfiltrate sensitive documents and files.
Ransomware Deployment
The organization finalized their attacks by encrypting critical files using ransomware variants such as LockBit 3.0 and Babuk. Ransom notes were left on infected systems, indicative of their attack strategy.
Collaboration Indicators
The investigation highlighted connections between Head Mare’s and Twelve’s toolsets, infrastructures, and operational tactics. Overlaps in command-and-control servers and tactics prompted considerations of joint operational frameworks.
Future Observations
As Head Mare integrates new techniques and tools—while also adapting those previously recognized in Twelve’s operations—monitoring their activities remains vital. The collaborative nature of these hacktivist groups points to a potentially escalating threat landscape targeting Russian companies and emphasizes the need for ongoing scrutiny and awareness within cybersecurity practices.
In conclusion, the interplay between Head Mare and Twelve exemplifies the evolving nature of cyber threats, with shared resources and tactics resulting in more effective attack campaigns. Continuous updates through threat intelligence sources are essential in understanding and mitigating these risks.