While analyzing attacks on Russian organizations, our team regularly encounters overlapping tactics, techniques, and procedures (TTPs) among different cybercrime groups, and sometimes even shared tools. We recently discovered one such overlap: similar tools and tactics between two hacktivist groups – BlackJack and Twelve, which likely belong to a single cluster of activity.
In this report, we will provide information about the current procedures, legitimate tools, and malware used by the BlackJack group, and demonstrate their similarity to artifacts found in Twelve’s attacks. We will also analyze another recently discovered activity that has much in common with the activity of the potential cluster.
Who are BlackJack?
BlackJack is a hacktivist group that emerged at the end of 2023, targeting companies based in Russia. In their Telegram channel, the group states that it aims to find vulnerabilities in the networks of Russian organizations and government institutions.
As of June 2024, BlackJack has publicly claimed responsibility for over a dozen attacks. Our telemetry also contains information on other unpublicized attacks, where indicators suggest BlackJack’s involvement.
The group only uses freely available and open-source software, such as the SSH client PuTTY or the wiper Shamoon, which has been available on GitHub for several years. This confirms that the group operates as hacktivists and lacks the resources typical of large APT groups.
Malware and legitimate tools in BlackJack attacks
Wiper – Shamoon
BlackJack uses a version of the Shamoon wiper written in Go in their attacks. Static analysis helped us extract the following characteristic strings:
Strings ..
Support the originator by clicking the read the rest link below.
