A striking resemblance: Gambling Hyena and Twelfth Hyena clusters compared
The BI.ZONE Threat Intelligence team has expanded its taxonomy of threat actors. Previously, we distinguished state‑sponsored groups as Werewolves and all the others as Wolves. Now, we have singled out yet another group to track hacktivist clusters as Hyenas.
In this article, we look into the similarities between two hacktivist clusters of activities: Gambling Hyena and Twelfth Hyena (previously, Twelfth Wolf).
Despite the limited data at our disposal, it is obvious that both clusters share common tactics, techniques, and procedures. This may suggest either an overlap in participants or the same organizer.
Targeted industries
The two clusters of activity tend to attack organizations in the government sector.
Defense Evasion
Both groups abuse legitimate accounts to interact with compromised IT infrastructures, modify user application settings, and disable antivirus.
Moreover, both clusters apply wevtutil to clear event logs, for example:
powershell -command wevtutil el | Foreach-Object {Write-Host Clearing $_; wevtutil cl $_}This enables the attackers to hamper forensic efforts when their activity is discovered.
Credential Access
The ability to neutralize antivirus allowed the perpetrators to obtain additional authentication data. For this purpose, they employed widespread tools such as Mimikatz. The attackers did not even bother to modify or rename the tool. Although their methods were easy to detect, the absence of required monitoring tools in the victim organizations enabled the attackers to remain invisible up until they started acting destructively.
Lateral Movement
Another tool favored by the groups under research is PsExec (Sysinternals Suite). The tool allowed the adversaries to execute commands remotely. While PsExec is also popular among attackers (same as Mimikatz), we nonetheless consider the application of this tool as an additional matching factor.
Ransomware and wipers
Both clusters of activity leverage ransomware and wipers to inflict damage on the compromised infrastructures.
The perpetrators do not develop their own malware. Instead, they opt for a ransomware program based on the LockBit Black (3.0) builder, which became publicly available in September 2022.
X (Twitter) post with a link to LockBit Black (3.0)
The ransomware instance was configured to mimic the unique malicious program: from the ransom note to the desktop theme.
Ransomware desktop theme on a victim’s computer
As regards wipers, both clusters use Shamoon 4 to destroy data in compromised systems. The source code of the malware is available on GitHub.
Shamoon 4 repository on GitHub
It is worth mentioning that Gambling Hyena prefers the wiper version written in Golang.
Data leaks
Both clusters reveal the names of their victims in dedicated Telegram channels. For instance, Gambling Hyena publishes such information in a channel called Blackjack.
Blackjack publication about a new victim
Twelfth Hyena discloses such information in another Telegram channel, TWELVE.
TWELVE publication about a new victim
As seen in the above examples, both channels have posts in Russian and English with certain stylistic similarities.
Nevertheless, the channels provide new information about the victims, with six and eight affected organizations disclosed by Blackjack and TWELVE, respectively.
Although the BI.ZONE Threat Intelligence team views Twelfth Hyena and Gambling Hyena as independent clusters, the overlaps in their methods and tools suggest that the two may be closely interconnected. However, the limited amount of data at our disposal does not allow us to make a firm assumption.
| Tactic | Gambling Hyena | Twelfth Hyena |
|---|---|---|
| Initial Access |
— |
Trusted Relationship (T1199) |
|
Valid Accounts (T1078) |
Valid Accounts (T1078) |
|
| Execution |
PowerShell (T1059.001) |
PowerShell (T1059.001) |
|
Windows Command Shell (T1059.003) |
Windows Command Shell (T1059.003) |
|
|
Scheduled Task (T1053.005) |
Scheduled Task (T1053.005) |
|
| Defense Evasion |
Clear Windows Event Logs (T1070.001) |
Clear Windows Event Logs (T1070.001) |
|
— |
File Deletion (T1070:004) |
|
| Credential Access |
LSASS Memory (T1003.001) |
LSASS Memory (T1003.001) |
| Discovery |
— |
Remote System Discovery (T1018) |
|
— |
System Owner/User Discovery (T1033) |
|
|
— |
Domain Account (T1087.002) |
|
|
— |
Domain Trust Discovery (T1482) |
|
| Lateral Movement |
Remote Desktop Protocol (T1021.001) |
Remote Desktop Protocol (T1021.001) |
|
SMB/Windows Admin Shares (T1021.002) |
SMB/Windows Admin Shares (T1021.002) |
|
| Command and Control |
External Proxy (T1090.002) |
— |
| Impact |
Data Encrypted for Impact (T1486) |
Data Encrypted for Impact (T1486) |
|
Data Destruction (T1485) |
Data Destruction (T1485) |
To learn more about the current cyber threat landscape and the methods employed to attack IT infrastructures similar to yours, we recommend that you take advantage of the BI.ZONE Threat Intelligence platform. With insights on the attackers derived from the platform, you will be able to defend your business proactively. On top of that, the indicators of compromise updated on a daily basis will boost the effectiveness of your security tools.