Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/5/2018
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Silence Group Quietly Emerges as New Threat to Banks

Though only two members strong, hackers pose a credible threat to banks in Russia and multiple countries.

A pair of Russian-speaking hackers, likely working in legitimate information security roles, has quietly emerged as a major threat to banks in Russia and numerous other former Soviet republics in recent months.

The duo, who security vendor Group-IB is tracking as "Silence," is known to have stolen at least $800,000 from banks in Russia, Ukraine, Belarus, Poland, Kazakhstan, and Azerbaijan over the past year. The actual financial damages caused by the pair could be a lot higher given the likelihood that many incidents remain undiscovered or unattributed to Silence because of the group's relative newness to security researchers, Group-IB said in a report this week.

Group-IB researchers first began tracking Silence in 2016 following a failed attempt to steal money from a Russian bank. The hackers disappeared from sight for more than one year after that, but then resurfaced in October 2017 when they attacked a bank's ATM network and stole over $100,000 in a single night. Since then, Group-IB says it has identified Silence as being responsible for at least two more bank thefts — one in February 2018, when they netted $550,000 via a bank's ATM machines, and the second in March, involving $150,000.

Several aspects about Silence make it interesting, Group-IB says. One distinctive feature is its unusually small size, especially considering the damage it has been creating. The Silence group appears to currently comprise just an operator and a developer.

The operator appears to be the one in charge, with in-depth knowledge about tools for conducting pen tests on banking systems, navigating inside a bank's network, and gaining access to protected systems. The developer seems to be an adept reverse-engineer who is responsible for developing the tools and exploits that Silence has been using to break into bank networks and steal money.

The pair's tactics and behavior suggest that both are either currently working in a legitimate information security role or were recently in one, says Rustam Mirkasymov, head of dynamic analysis of malicious code at Group-IB. For example, Silence appears to have ready access to unique, non-public malware samples that only security researchers typically have. The developer's seemingly deep knowledge of ATM machines and processes suggests the individual is an insider or was one recently. The pair's behavior during incidents also suggest they are analyzing and closely following security reports, Mirkasymov says.

Because of the group's small size, the hackers have so far been somewhat limited in their ability to carry out attacks. Typically, they have averaged about three months between incidents, which is about three times as long as other financially motivated threat groups, such as Carbanak/Cobalt/FIN7 and MoneyTaker, usually take.

The two-person threat group has also shown a tendency to observe and learn from the actions of other threat actors, Mirkasymov says. Initially, Silence used third-party tools in its attacks but over time developed its own sophisticated toolkit. The unique set of card processing and ATM attack tools Silence has developed includes "Atmosphere," a tool for getting ATMs to dispense large amounts of cash on demand; "Farse," a utility for grabbing passwords from infected systems; and "Cleaner," for getting rid of incriminating logs.

Like many other advanced persistent threat (APT) actors, Silence uses several borrowed tools in its capers, including a bot for conducting initial attacks and a tool for launching distributed denial of service (DDoS) attacks. Initially, the Silence duo used hacked servers and compromised accounts for carrying out its campaigns, but they have evolved to using phishing domains and self-signed certificates to drop malware on target networks.

"Now [that] they have tested the waters, they are formed, experienced, and ready to conduct sophisticated attacks on banking systems," Mirkasymov says. Rather than reinventing the wheel, "they prefer to use well-known techniques, such as logical attacks on ATMs, and attacks on payment systems and card processing, employed by other financially motivated cybercriminals," he says.

Silence's geography of successful attacks so far has been limited to the so-called Commonwealth of Independent States (CIS), or nations that once belonged to the Soviet Union. But its ambitions appear much broader. According to Mirkasymov, the group has sent phishing emails to bank employees in some 25 countries, including Germany, Great Britain, the Czech Republic, Romania, Malaysia, Kenya, Israel, Cyprus, and Greece.

Silence does not only attack banks, Mirkasymov cautions. The group also has shown a tendency to attack online stores, news agencies, and insurance companies, using their infrastructure to conduct attacks on financial institutions.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13951
PUBLISHED: 2019-07-18
The set_ipv4() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv4 address in zone data.
CVE-2019-13952
PUBLISHED: 2019-07-18
The set_ipv6() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv6 address in zone data.
CVE-2019-10100
PUBLISHED: 2019-07-18
The Sleuth Kit 4.6.0 and earlier is affected by: Integer Overflow. The impact is: Opening crafted disk image triggers crash in tsk/fs/hfs_dent.c:237. The component is: Overflow in fls tool used on HFS image. Bug is in tsk/fs/hfs.c file in function hfs_cat_traverse() in lines: 952, 1062. The attack v...
CVE-2019-10102
PUBLISHED: 2019-07-18
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt (https://github.com/saltstack/salt/blob/devel...
CVE-2019-10102
PUBLISHED: 2019-07-18
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically ...