A striking resemblance: Gambling Hyena and Twelfth Hyena clusters compared

BI.ZONE
4 min readDec 28, 2023

--

What is common between two hacktivist groups attacking the Russian government sector.

The BI.ZONE Threat Intelligence team has expanded its taxonomy of threat actors. Previously, we distinguished state-sponsored groups as Werewolves and all the others as Wolves. Now, we have singled out yet another group to track hacktivist clusters as Hyenas.

In this article, we look into the similarities between two hacktivist clusters of activities: Gambling Hyena and Twelfth Hyena (previously, Twelfth Wolf).

Despite the limited data at our disposal, it is obvious that both clusters share common tactics, techniques, and procedures. This may suggest either an overlap in participants or the same organizer.

Comparison

Targeted industries

The two clusters of activity tend to attack organizations in the government sector.

Defense Evasion

Both groups abuse legitimate accounts to interact with compromised IT infrastructures, modify user application settings, and disable antivirus.

Moreover, both clusters apply wevtutil to clear event logs, for example:

powershell -command wevtutil el | Foreach-Object {Write-Host Clearing $_; wevtutil cl $_}

This enables the attackers to hamper forensic efforts when their activity is discovered.

Credential Access

The ability to neutralize antivirus allowed the perpetrators to obtain additional authentication data. For this purpose, they employed widespread tools such as Mimikatz. The attackers did not even bother to modify or rename the tool. Although their methods were easy to detect, the absence of required monitoring tools in the victim organizations enabled the attackers to remain invisible up until they started acting destructively.

Lateral Movement

Another tool favored by the groups under research is PsExec (Sysinternals Suite). The tool allowed the adversaries to execute commands remotely. While PsExec is also popular among attackers (same as Mimikatz), we nonetheless consider the application of this tool as an additional matching factor.

Ransomware and wipers

Both clusters of activity leverage ransomware and wipers to inflict damage on the compromised infrastructures.

The perpetrators do not develop their own malware. Instead, they opt for a ransomware program based on the LockBit Black (3.0) builder, which became publicly available in September 2022.

X (Twitter) post with a link to LockBit Black (3.0)

The ransomware instance was configured to mimic the unique malicious program: from the ransom note to the desktop theme.

Ransomware desktop theme on a victim’s computer

As regards wipers, both clusters use Shamoon 4 to destroy data in compromised systems. The source code of the malware is available on GitHub.

Shamoon 4 repository on GitHub

It is worth mentioning that Gambling Hyena prefers the wiper version written in Golang.

Data leaks

Both clusters reveal the names of their victims in dedicated Telegram channels. For instance, Gambling Hyena publishes such information in a channel called Blackjack.

Blackjack publication about a new victim

Twelfth Hyena discloses such information in another Telegram channel, TWELVE.

TWELVE publication about a new victim

As seen in the above examples, both channels have posts in Russian and English with certain stylistic similarities.

Nevertheless, the channels provide new information about the victims, with six and eight affected organizations disclosed by Blackjack and TWELVE, respectively.

Conclusion

Although the BI.ZONE Threat Intelligence team views Twelfth Hyena and Gambling Hyena as independent clusters, the overlaps in their methods and tools suggest that the two may be closely interconnected. However, the limited amount of data at our disposal does not allow us to make a firm assumption.

MITRE ATT&CK

How threat intelligence can protect your company against such threats

To learn more about the current cyber threat landscape and the methods employed to attack IT infrastructures similar to yours, we recommend that you take advantage of the BI.ZONE Threat Intelligence platform. With insights on the attackers derived from the platform, you will be able to defend your business proactively. On top of that, the indicators of compromise updated on a daily basis will boost the effectiveness of your security tools.

--

--

BI.ZONE
BI.ZONE

Written by BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

No responses yet