The rapidly growing hacking crew dubbed Silence, has – in less than three years – gone from ransacking small regional banks in Eastern Europe to stealing millions from some of the largest international banks.
A report issued this morning by Singapore-based infosec outfit Group-IB claims that Silence, active since 2016, is now operating in more than 30 countries, and has so far been able to infiltrate banks' computer networks to siphon at least $4.2m from compromised cash machines around the world.
Group-IB, which has monitored the cyber-crooks since their earliest days, says that as the Russian gang grew, so did the sophistication of their work. Now, having survived three years, Silence is operating as an extremely sophisticated and capable crew.
"Early on, Silence showed signs of immaturity in their tools, techniques, and procedures by making mistakes and copying practices from other groups," the report, due to appear on Group-IB's website today, recounts. "Now, Silence is one of the most active threat actors targeting the financial sector."
When we last took a look at Silence, the crew was fresh off of its largest-ever financial hacking caper: nicking $3m from Bangladesh-based Dutch Bangla's cash machines.
Since then, Group-IB estimates that the team has grown even more ambitious, sending out more than 170,000 emails to banks around the world, with a focus on Asia, where 80,000 messages were sent.
Those emails were often booby-trapped with links or attachments in an attempt to trick victims into downloading and opening one or more of the group's preferred pieces of malware. The infected PCs connect back to a command-and-control server, and are then used to allow the hackers to move laterally around the bank's computer networks.
The actual theft of the money is conducted through ATMs. As in the Dutch Bangla operation, other banks have reported that, once the miscreants get into the network, they gain control of the servers managing the cash machines and card processing systems.
Russian 'Silence' hacking crew turns up the volume – with $3m-plus cyber-raid on bank's cash machinesREAD MORE
This allows the attackers to direct money mules to specific ATMs that are then ordered to dispense cash. If the mules are caught (as they were with the Dutch Bangla heist) the hackers masterminding the operation are shielded from the cops.
As successful as this method has been, it has also attracted attention to the operation, and Group-IB says that it has forced the Silence crew to up their game by making their malware tools harder to trace and attribute. They do, however, still have some learning to do.
"Silence has made a number of changes to their toolset with one goal: to complicate detection by security tools. In particular, they changed their encryption alphabets, string encryption, and commands for the bot and the main module," Group-IB notes.
"Silence has also made a move to including fileless modules in their arsenal, albeit much later than other APT groups, suggesting that the group is still playing catch-up compared to other cybercriminal groups." ®