3 July 2019

Bangladesh Cyber Heist 2.0: Silence APT goes global

Group-IB, an international company that specializes in preventing cyber attacks, has established that Silence, a Russian-speaking cybercriminal group is likely to be behind the brazen attack on Dutch-Bangla Bank’s ATMs resulting in the theft of $3 million, the amount reported by the local media. The actual amount of money stolen could be much higher. This is one of Silence’s most recent international attacks, which indicates that the gang has expanded its geography and has gone global, focusing now on APAC markets.

The final stage of the brash cyber attack, which started months earlier, took place in Dhaka on May 31, 2019, according to the local media reports. In CCTV footage posted by local newspapers two Ukrainian mules with their faces covered are seen withdrawing money from Dutch-Bangla Bank’s ATMs. They made phone calls every time before withdrawing money, which immediately prompted Group-IB’s Threat intelligence team’s interest and indicated that this could likely be involvement of an organized financially-motivated cybercriminal group rather than simple skimming attack. At the time, Group-IB Threat Intelligence team was already aware that Silence had been carrying out operations in Asia.

Group-IB has been tracking Silence and their infrastructure since 2016 and published a report «Silence: Moving into the darkside» in September 2018 which was the first to describe the group’s tactics and tools in detail. The information gathered by Group-IB’s Threat Intelligence team and comprehensive knowledge about Silence’s infrastructure suggested that Dutch-Bangla Bank’s hosts with external IPs 103.11.138.47 and 103.11.138.198 had been communicating with Silence’s C&C (185.20.187.89) since at least February 2019. During the attack on Dutch-Bangla Bank, the cybercriminals have likely used the following Trojans — Silence.Downloader (aka TrueBot), Silence.MainModule (MD5 fd133e977471a76de8a22ccb0d9815b2) which allows to execute remote commands covertly and download files from the compromised server, and Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c), which executes the tasks of the proxy server and allows the attacker to redirect traffic from a hidden node to a backconnect server via the compromised PC.

Once they gained access to the bank’s infrastructure, Silence went on to the next stage of the attack — money withdrawal. One of the instances was shown on the CCTV from May 31 published by the local media. Based on the TTPs used by Silence, the money could have been stolen in one of two ways: the hackers could have either compromised the bank’s card processing system or used the custom Atmosphere software, a set of tools for ATMs jackpotting. The detailed description of Silence’s toolset is available in Group-IB’s report «Silence: Moving into the darkside».

What we see now is that Silence is continuing to shift their focus from the CIS and neighbouring countries to international markets. Having tested their tools and techniques in Russia, Silence has gained the confidence and skill necessary to be an international threat to  banks and corporations. Asia particularly draws cybercriminals’ attention. Dutch-Bangla Bank is not the first Silence’s victim in the region. In total, we are aware of at least 4 targets Silence has attacked in Asia recently.

Rustam Mirkasymov

Rustam Mirkasymov

Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for the inquiry! We will contact you soon.
Cookies

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

 
Report an incident