Silence! Cybercrime's Pinky and the Brain have nicked $800k off banks

One does dev, the other ops, and they're believed to be former white hats


A pair of cybercrooks who may have started out as legit infosec pros have expanded their operations outside Russia and begun attacking banks across the world.

"Silence is an example of a mobile, small, and young group that has been progressing rapidly," Group-IB said, adding that the cybercrime group has shown signs of activity in 25 countries.

There appear to be just two members in Silence – a developer and an operator (Walter White and Jesse Pinkman, anyone?) – which may explain why they are so selective with their targets, and why it takes them a relatively long time (up to three months) to pull off a heist.

The developer appears to be a highly experienced reverse engineer who develops tools to conduct attacks and modifies complex exploits and software.

It is obvious that the criminals responsible for these crimes were at some point active in the security community ... [e]ither as penetration testers or reverse engineers

The operator seems to have experience in penetration testing, which means he can easily find his way around banking infrastructure. He wields the tools developed by his programmer partner in order to access banking systems and pull off thefts.

After the activity of Cobalt group declined, Silence became one of the major threats to Russian and international banks. Confirmed thefts by Silence increased more than fivefold from just $100,000 in 2017 to $550,000 in less than a year. The current confirmed total thefts from Silence attacks stands at $800,000.

The opening salvos were amateurish, but the crims showed aptitude for learning techniques from other, more experienced hackers. In 2017, Silence began to attack ATMs, stealing $100,000 in just one night, according to Group-IB.

Earlier this year Silence targeted a card-processing network using a more sophisticated supply-chain attack, cashing out $550,000 via ATMs over one weekend. Two months later in April 2018 the group stole another $150,000 through ATMs.

Over time, Silence has adopted tactics of hardened criminal groups to attack various banking systems – AWS CBR (Automated Work Station Client of the Russian Central Bank), ATMs and card processing.

In their first operations, Silence used a borrowed backdoor, Kikothac. Later, the group's developer created a unique set of tools for attacks on card processing and ATMs including Silence, a framework for infrastructure attacks; Atmosphere, a set of software tools for attacks on ATMs; Farse, a tool to obtain passwords from a compromised computer; and Cleaner, a tool for logs removal.

Group-IB reckoned that Silence is a group of Russian-speaking hackers, based on the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Silence used Russian words typed on an English keyboard layout to send commands to backdoors they had deployed.

Like most cybercrime groups, Silence uses phishing emails. Initially, the group used hacked servers and compromised accounts for its campaigns. Later on, the crooks began to register phishing domains, featuring self-signed digital certificates. More recently Silence has sent phishing emails to bank employees in Central and Western Europe, Africa, and Asia.

Silence's phishing emails usually purport to be from bank employees. To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers as command-and-control nodes. The group hired a number of servers at MaxiDed, whose infrastructure was blocked by Europol in May 2018.

"Silence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools, tactics, and even the members of the group," said Dmitry Volkov, chief technology officer and head of threat intelligence at Group-IB. "It is obvious that the criminals responsible for these crimes were at some point active in the security community ... [e]ither as penetration testers or reverse engineers.

"After having studied Silence's attacks, we concluded that they are most likely white hats evolving into black hats. The internet, particularly the underground web, favours this kind of transformation; it is far easier now to become a cybercriminal than 5-7 years ago – you can rent servers, modify existing exploits, and use legal tools. It makes things more complicated for blue teams and much easier for hackers." ®

Narrower topics


Other stories you might like

  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022