Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/5/2018
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Silence Group Quietly Emerges as New Threat to Banks

Though only two members strong, hackers pose a credible threat to banks in Russia and multiple countries.

A pair of Russian-speaking hackers, likely working in legitimate information security roles, has quietly emerged as a major threat to banks in Russia and numerous other former Soviet republics in recent months.

The duo, who security vendor Group-IB is tracking as "Silence," is known to have stolen at least $800,000 from banks in Russia, Ukraine, Belarus, Poland, Kazakhstan, and Azerbaijan over the past year. The actual financial damages caused by the pair could be a lot higher given the likelihood that many incidents remain undiscovered or unattributed to Silence because of the group's relative newness to security researchers, Group-IB said in a report this week.

Group-IB researchers first began tracking Silence in 2016 following a failed attempt to steal money from a Russian bank. The hackers disappeared from sight for more than one year after that, but then resurfaced in October 2017 when they attacked a bank's ATM network and stole over $100,000 in a single night. Since then, Group-IB says it has identified Silence as being responsible for at least two more bank thefts — one in February 2018, when they netted $550,000 via a bank's ATM machines, and the second in March, involving $150,000.

Several aspects about Silence make it interesting, Group-IB says. One distinctive feature is its unusually small size, especially considering the damage it has been creating. The Silence group appears to currently comprise just an operator and a developer.

The operator appears to be the one in charge, with in-depth knowledge about tools for conducting pen tests on banking systems, navigating inside a bank's network, and gaining access to protected systems. The developer seems to be an adept reverse-engineer who is responsible for developing the tools and exploits that Silence has been using to break into bank networks and steal money.

The pair's tactics and behavior suggest that both are either currently working in a legitimate information security role or were recently in one, says Rustam Mirkasymov, head of dynamic analysis of malicious code at Group-IB. For example, Silence appears to have ready access to unique, non-public malware samples that only security researchers typically have. The developer's seemingly deep knowledge of ATM machines and processes suggests the individual is an insider or was one recently. The pair's behavior during incidents also suggest they are analyzing and closely following security reports, Mirkasymov says.

Because of the group's small size, the hackers have so far been somewhat limited in their ability to carry out attacks. Typically, they have averaged about three months between incidents, which is about three times as long as other financially motivated threat groups, such as Carbanak/Cobalt/FIN7 and MoneyTaker, usually take.

The two-person threat group has also shown a tendency to observe and learn from the actions of other threat actors, Mirkasymov says. Initially, Silence used third-party tools in its attacks but over time developed its own sophisticated toolkit. The unique set of card processing and ATM attack tools Silence has developed includes "Atmosphere," a tool for getting ATMs to dispense large amounts of cash on demand; "Farse," a utility for grabbing passwords from infected systems; and "Cleaner," for getting rid of incriminating logs.

Like many other advanced persistent threat (APT) actors, Silence uses several borrowed tools in its capers, including a bot for conducting initial attacks and a tool for launching distributed denial of service (DDoS) attacks. Initially, the Silence duo used hacked servers and compromised accounts for carrying out its campaigns, but they have evolved to using phishing domains and self-signed certificates to drop malware on target networks.

"Now [that] they have tested the waters, they are formed, experienced, and ready to conduct sophisticated attacks on banking systems," Mirkasymov says. Rather than reinventing the wheel, "they prefer to use well-known techniques, such as logical attacks on ATMs, and attacks on payment systems and card processing, employed by other financially motivated cybercriminals," he says.

Silence's geography of successful attacks so far has been limited to the so-called Commonwealth of Independent States (CIS), or nations that once belonged to the Soviet Union. But its ambitions appear much broader. According to Mirkasymov, the group has sent phishing emails to bank employees in some 25 countries, including Germany, Great Britain, the Czech Republic, Romania, Malaysia, Kenya, Israel, Cyprus, and Greece.

Silence does not only attack banks, Mirkasymov cautions. The group also has shown a tendency to attack online stores, news agencies, and insurance companies, using their infrastructure to conduct attacks on financial institutions.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.