Group-IB Detects APT-attacks on Banks: The Sound of Silence

Group-IB, an international company specialized in preventing cyberattacks, has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.

After the activity of Cobalt group has declined, Silence became one of the major threats to Russian and international banks. Once only known to cybersecurity specialists, Silence is an example of a mobile, small, and young group that has been progressing rapidly. Confirmed thefts by Silence increased more than fivefold from just 100 000 USD in 2017 to 550 000 USD in less than a year. The current confirmed total thefts form Silence attacks stands at 800 000 USD but may be much larger.

For more than two years, there was not a single sign of Silence that would enable to identify them as an independent cybercrime group. The timeline and nature of the attacks identified by Group-IB forensic specialists suggested strongly that the first attacks were very amateur in nature and the criminals were learning as they went along. Since autumn 2017, the group has become more active. Based on analysis and comparison with other incidents and financial APT timelines, it is clear that Silence analyses methods of other criminal groups and applies new tactics tools on various banking systems AWS CBR (Automated Work Station Client of the Russian Central Bank), ATMs, and card processing.

Group-IB incident response and intelligence teams detected Silence’s activity in 2016 for the very first time. Silence members attempted to withdraw money via AWS CBR; however, due to some errors in payment orders, the crime was successfully prevented. In 2017, Silence began to conduct attacks on ATMs. The first incident confirmed by Group-IB revealed that gang members stole 100 000 USD from ATMs in just one night. In 2018, they targeted card processing using supply-chain attack, picking up 550 000 USD via ATMs of the bank’s counterpart over one weekend. In April 2018, two months after they successfully targeted card processing, the group decided to leverage its previous scheme and stole roughly 150 000 USD through ATMs. At this point, only the attacks described above can be unequivocally attributed to Silence, but Group-IB security experts believe that there have been other successful attacks on banks.

Who are Silence?

Group-IB experts concluded that Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.

There appear to be just two members in Silence—a developer and an operator. This explains why they are so selective in their attack targets, and why it takes them so long (up to 3 months, which is at least three times longer than Anunak, Buhtrap, MoneyTaker and Cobalt) to commit a theft. One gang member a developer has skills of a highly experienced reverse engineer. He develops tools to conduct attacks and modifies complex exploits and software. However, in development he makes a number of errors, that are quite common for virus analysts or reverse engineers; he knows exactly how to develop software, but he does not know how to program properly. The second member of the team is an operator. He’s got experience in penetration testing, which means he can easily find his way around banking infrastructure. He is the one who uses the developed tools to access banking systems and initiates the theft process.

Silence’s tools and methods

Like most cybercrime groups, Silence uses phishing emails. Initially, the group used hacked servers and compromised accounts for its campaigns. Later on, the criminals began to register phishing domains, for which they created self-signed certificates. Silence designs very well-crafted phishing emails usually purporting to be from bank employees. To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers to use as C&C servers. A number of servers were rented at MaxiDed, whose infrastructure was blocked by Europol in May 2018.

In their first operations, Silence used a borrowed backdoor Kikothac, which makes it clear that the group began its activity without any preparation—these were attempts to test the waters. Later, the group’s developer created a unique set of tools for attacks on card processing and ATMs including Silencea framework for infrastructure attacks , Atmosphere—a set of software tools for attacks on ATMs, Farse—a tool to obtain passwords from a compromised computer, and Cleaner—a tool for logs removal.

Silence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools, tactics, and even the members of the group. It is obvious that the criminals responsible for these crimes were at some point active in the security community. Either as penetration testers or reverse engineers. They carefully study the attacks conducted by other cybercriminal groups, and analyse antivirus and Threat Intelligence reports. However, it does not save them from making mistakes; they learn as they go. Many of Silence’s tools are legitimate, others they developed themselves and learn from other gangs. After having studied Silence’s attacks, we concluded that they are most likely white hats evolving into black hats. The Internet, particularly the underground web, favours this kind of transformation; it is now far easier to become a cybercriminal than 5–7 years ago—you can rent servers, modify existing exploits, and use legal tools. It makes things more complicated for blue teams and much easier for hackers.

Dmitry Volkov
Dmitry Volkov

Chief Technology Officer and Head of Threat Intelligence at Group-IB

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.