Hackers do not need computer science geniuses to carry out successful cyber-attacks or scams, with many attacks relying on the work and malware developed by previous threat actors. When a seemingly advanced hacker group which uses its own tools begins to attack financial institutions warning flags should and are often raised. This is the case regarding Silence, a hacker group specializing in stealing funds from financial institutions, has significantly ramped up operations targeting banks from over 30 countries. This has resulted in the group causing a sharp increase in financial losses suffered by organizations across the globe.
Researchers at Group-IB, Singapore-based cybersecurity company specializing in attack prevention, have been tracking Silence since its timid birth in 2016. The security firm has released two comprehensive reports tracking and analyzing the group’s attacks. The first report published towards the end of 2018. Silence at its formation was content to learn from those hackers who had come before. Once lessons were learned the group began actively targeting banks and other financial institutions. Since attacks began to now the hacker group has stolen over 4 million USD from numerous banks and financial institutions. By the time of the first report was published the group had only managed to successfully steal 800,000 USD. The difference in amounts stolen illustrates the ramping up of the group’s activity from the first report to the second.
The second report further reveals the group's modus operandi as well, more worryingly, the use of new and custom tools used in attacking banks. These new tools have been developed to assist in avoiding detection as well as to better compromise banking networks. The group rewrote some previously used tools, namely the silence.downloader, and using Ivoke to use PowerShell for file less loading of malware. Added to this the group also exploits the Empire framework, now abandoned but made infamous by Olympic Destroyer and their malware Hades. By using the Empire framework the group can move laterally across networks. The framework is essentially a PowerShell agent. Not only were new tools included but tactics were changed and refined. In October 2018 the group started sending out emails to potential targets to better plan future attacks. These reconnaissance emails would carry no payload and pretended to be an automated reply for a failed delivery. Researchers believe the reconnaissance emails were used to receive updated email lists from the target. Silence sent out over 170,000 of these emails during three separate campaigns against victims in Asia, Europe, and countries previously making up the Soviet Block.
When sending out the reconnaissance emails, the group seems to have particularly targeted Asian countries. The group sent over 80,000 emails to countries within the continent. Institutions within the borders of Taiwan, Malaysia, and South Korea were the most targeted in this expansion of operations. Europe received the least amount of emails with UK institutions been hardest hit. The second stage of the campaign began after the attackers could validate the email addresses. Once validated the group sends emails containing the initial payload. This payload contains the downloader so that the Silence specific malware can be downloaded and distributed across the network. The last stage of the attack involves the download and installation of a trojan designed to infect the card processing system allowing cash mules to draw money from ATMs. For the final stage to be successful, the group gains persistence across numerous networks using custom tools.
Drastic Increase in Operations
The second report published by Group-IB tracks the activity of Silence from May 28, 2018, to August 1, 2019. In that time the researchers have seen a drastic rise in activity. This increase in activity also saw the group using every resource available to further their goals. For example, they leveraged the lack of Sender Policy Framework (SPF) settings to impersonate a real bank and in another campaign, they sent emails pretending to be from the Central Bank of the Russian Federation. The Silence group started in early 2019 to switch to targets in Europe and attacked a financial organization in the UK. They sent a file with a valid signature from SEVA Medical LTD. They did not shift focus from Russian banks, though. By February, the threat actor had compromised Omsk IT Bank and was able to steal around 400,000 USD.
In what appears to be a related attack, which could be attributed to Silence, cash mules stole 3 million USD from ATMs belonging to Dutch Bangla Bank. In this instance, video footage was posted showing cash mules inserting cards into the machines and waiting for the money. Researchers believe that the attack was carried using the custom trojan used by Silence for compromising the card processing system. This belief is given more credence due to no malware been found on the ATMs, suggesting that the system was compromised rather than the machine. Researchers with the security firm have further attributed successful attacks to banks in Chile, Bulgaria, Costa Rica, Ghana, and India.
To further complicate matters researchers believe there could be a connection between Silence and TA505, another group that uses FlawedAmmyy.Downloader to target victims in the financial sector. Researchers further believe that Silence evolved from TA505, at the time an inexperienced group whose activity has dropped off the map. Researchers stated that,
“A comparative analysis of Silence.Downloader and FlawedAmmyy.Downloader revealed that these programs were developed by the same person – a Russian speaker who is active on underground forums.”