A pair of cybercrooks who may have started out as legit infosec pros have expanded their operations outside Russia and begun attacking banks across the world.
"Silence is an example of a mobile, small, and young group that has been progressing rapidly," Group-IB said, adding that the cybercrime group has shown signs of activity in 25 countries.
There appear to be just two members in Silence – a developer and an operator (Walter White and Jesse Pinkman, anyone?) – which may explain why they are so selective with their targets, and why it takes them a relatively long time (up to three months) to pull off a heist.
The developer appears to be a highly experienced reverse engineer who develops tools to conduct attacks and modifies complex exploits and software.
It is obvious that the criminals responsible for these crimes were at some point active in the security community ... [e]ither as penetration testers or reverse engineers
The operator seems to have experience in penetration testing, which means he can easily find his way around banking infrastructure. He wields the tools developed by his programmer partner in order to access banking systems and pull off thefts.
After the activity of Cobalt group declined, Silence became one of the major threats to Russian and international banks. Confirmed thefts by Silence increased more than fivefold from just $100,000 in 2017 to $550,000 in less than a year. The current confirmed total thefts from Silence attacks stands at $800,000.
The opening salvos were amateurish, but the crims showed aptitude for learning techniques from other, more experienced hackers. In 2017, Silence began to attack ATMs, stealing $100,000 in just one night, according to Group-IB.
Earlier this year Silence targeted a card-processing network using a more sophisticated supply-chain attack, cashing out $550,000 via ATMs over one weekend. Two months later in April 2018 the group stole another $150,000 through ATMs.
Over time, Silence has adopted tactics of hardened criminal groups to attack various banking systems – AWS CBR (Automated Work Station Client of the Russian Central Bank), ATMs and card processing.
In their first operations, Silence used a borrowed backdoor, Kikothac. Later, the group's developer created a unique set of tools for attacks on card processing and ATMs including Silence, a framework for infrastructure attacks; Atmosphere, a set of software tools for attacks on ATMs; Farse, a tool to obtain passwords from a compromised computer; and Cleaner, a tool for logs removal.
Group-IB reckoned that Silence is a group of Russian-speaking hackers, based on the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Silence used Russian words typed on an English keyboard layout to send commands to backdoors they had deployed.
Like most cybercrime groups, Silence uses phishing emails. Initially, the group used hacked servers and compromised accounts for its campaigns. Later on, the crooks began to register phishing domains, featuring self-signed digital certificates. More recently Silence has sent phishing emails to bank employees in Central and Western Europe, Africa, and Asia.
Silence's phishing emails usually purport to be from bank employees. To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers as command-and-control nodes. The group hired a number of servers at MaxiDed, whose infrastructure was blocked by Europol in May 2018.
"Silence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools, tactics, and even the members of the group," said Dmitry Volkov, chief technology officer and head of threat intelligence at Group-IB. "It is obvious that the criminals responsible for these crimes were at some point active in the security community ... [e]ither as penetration testers or reverse engineers.
"After having studied Silence's attacks, we concluded that they are most likely white hats evolving into black hats. The internet, particularly the underground web, favours this kind of transformation; it is far easier now to become a cybercriminal than 5-7 years ago – you can rent servers, modify existing exploits, and use legal tools. It makes things more complicated for blue teams and much easier for hackers." ®