A pair of Russian-speaking hackers, likely working in legitimate information security roles, has quietly emerged as a major threat to banks in Russia and numerous other former Soviet republics in recent months.
The duo, who security vendor Group-IB is tracking as "Silence," is known to have stolen at least $800,000 from banks in Russia, Ukraine, Belarus, Poland, Kazakhstan, and Azerbaijan over the past year. The actual financial damages caused by the pair could be a lot higher given the likelihood that many incidents remain undiscovered or unattributed to Silence because of the group's relative newness to security researchers, Group-IB said in a report this week.
Group-IB researchers first began tracking Silence in 2016 following a failed attempt to steal money from a Russian bank. The hackers disappeared from sight for more than one year after that, but then resurfaced in October 2017 when they attacked a bank's ATM network and stole over $100,000 in a single night. Since then, Group-IB says it has identified Silence as being responsible for at least two more bank thefts — one in February 2018, when they netted $550,000 via a bank's ATM machines, and the second in March, involving $150,000.
Several aspects about Silence make it interesting, Group-IB says. One distinctive feature is its unusually small size, especially considering the damage it has been creating. The Silence group appears to currently comprise just an operator and a developer.
The operator appears to be the one in charge, with in-depth knowledge about tools for conducting pen tests on banking systems, navigating inside a bank's network, and gaining access to protected systems. The developer seems to be an adept reverse-engineer who is responsible for developing the tools and exploits that Silence has been using to break into bank networks and steal money.
The pair's tactics and behavior suggest that both are either currently working in a legitimate information security role or were recently in one, says Rustam Mirkasymov, head of dynamic analysis of malicious code at Group-IB. For example, Silence appears to have ready access to unique, non-public malware samples that only security researchers typically have. The developer's seemingly deep knowledge of ATM machines and processes suggests the individual is an insider or was one recently. The pair's behavior during incidents also suggest they are analyzing and closely following security reports, Mirkasymov says.
Because of the group's small size, the hackers have so far been somewhat limited in their ability to carry out attacks. Typically, they have averaged about three months between incidents, which is about three times as long as other financially motivated threat groups, such as Carbanak/Cobalt/FIN7 and MoneyTaker, usually take.
The two-person threat group has also shown a tendency to observe and learn from the actions of other threat actors, Mirkasymov says. Initially, Silence used third-party tools in its attacks but over time developed its own sophisticated toolkit. The unique set of card processing and ATM attack tools Silence has developed includes "Atmosphere," a tool for getting ATMs to dispense large amounts of cash on demand; "Farse," a utility for grabbing passwords from infected systems; and "Cleaner," for getting rid of incriminating logs.
Like many other advanced persistent threat (APT) actors, Silence uses several borrowed tools in its capers, including a bot for conducting initial attacks and a tool for launching distributed denial of service (DDoS) attacks. Initially, the Silence duo used hacked servers and compromised accounts for carrying out its campaigns, but they have evolved to using phishing domains and self-signed certificates to drop malware on target networks.
"Now [that] they have tested the waters, they are formed, experienced, and ready to conduct sophisticated attacks on banking systems," Mirkasymov says. Rather than reinventing the wheel, "they prefer to use well-known techniques, such as logical attacks on ATMs, and attacks on payment systems and card processing, employed by other financially motivated cybercriminals," he says.
Silence's geography of successful attacks so far has been limited to the so-called Commonwealth of Independent States (CIS), or nations that once belonged to the Soviet Union. But its ambitions appear much broader. According to Mirkasymov, the group has sent phishing emails to bank employees in some 25 countries, including Germany, Great Britain, the Czech Republic, Romania, Malaysia, Kenya, Israel, Cyprus, and Greece.
Silence does not only attack banks, Mirkasymov cautions. The group also has shown a tendency to attack online stores, news agencies, and insurance companies, using their infrastructure to conduct attacks on financial institutions.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.