• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Group-IB UncoversAPT- attacks on Banks: The Sound of Silence

Group-IB UncoversAPT- attacks on Banks: The Sound of Silence

Pierluigi Paganini September 05, 2018

Researchers at security firm Group-IB have exposed the attacks carried out by the Silence cybercriminal group, providing details on its tactics and tools.

Experts at security firm Group-IB have exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide.

Group-IB has published its first detailed report “Silence: Moving into the darkside” on tactics and tools employed by the cybercriminals. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.

After the activity of Cobalt group has declined, Silence became one of the major threats to Russian and international banks. Once only known to cybersecurity specialists, Silence is an example of a mobile, small, and young group that has been progressing rapidly. Confirmed thefts by Silence increased more than fivefold from just 100 000 USD in 2017 to 550 000 USD in less than a year. The current confirmed total thefts form Silence attacks stands at 800 000 USD.

For more than two years, there was not a single sign of Silence that would enable to identify them as an independent cybercrime group. The timeline and nature of the attacks identified by Group-IB forensic specialists suggested strongly that the first attacks were very amateur in nature and the criminals were learning as they went along. Since autumn 2017, the group has become more active. Based on analysis and comparison with other incidents and financial APT timelines, it is clear that Silence analyses methods of other criminal groups and applies new tactics and tools on various banking systems – AWS CBR (Automated Work Station Client of the Russian Central Bank), ATMs, and card processing.

Group-IB incident response and intelligence teams detected Silence’s activity in 2016 for the very first time. Silence members attempted to withdraw money via AWS CBR; however, due to some errors in payment orders, the theft was successfully prevented. In 2017, Silence began to conduct attacks on ATMs. The first incident confirmed by Group-IB revealed that gang members stole 100 000 USD from ATMs in just one night. In 2018, they targeted card processing using supply-chain attack, picking up 550 000 USD via ATMs of the bank’s counterpart over one weekend. In April 2018, two months after they successfully targeted card processing, the group decided to leverage its previous scheme and stole roughly 150 000 USD through ATMs. At this point, the attacks described above can be unequivocally attributed to Silence, but Group-IB security experts believe that there have been other successful attacks on banks.

Silence Group

Who are Silence?                                                     

Group-IB experts concluded that Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.

There appear to be just two members in Silence—a developer and an operator. This explains why they are so selective in their attack targets, and why it takes them so long (up to 3 months, which is at least three times longer than Anunak, Buhtrap, MoneyTaker and Cobalt) to commit a theft. One gang member – a developer – has skills of a highly experienced reverse engineer. He develops tools to conduct attacks and modifies complex exploits and software. However, in development he makes a number of errors, that are quite common for virus analysts or reverse engineers; he knows exactly how to develop software, but he does not know how to program properly. The second member of the team is an operator. He has experience in penetration testing, which means he can easily find his way around banking infrastructure. He is the one who uses the developed tools to access banking systems and initiates the theft process.

Silence’s tools and methods                                                                

Like most cybercrime groups, Silence uses phishing emails. Initially, the group used hacked servers and compromised accounts for its campaigns. Later on, the criminals began to register phishing domains, for which they created self-signed certificates. Silence designs very well-crafted phishing emails usually purporting to be from bank employees. To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers to use as C&C servers. A number of servers were rented at MaxiDed, whose infrastructure was blocked by Europol in May 2018.

In their first operations, Silence used a borrowed backdoor – Kikothac, which makes it clear that the group began its activity without any preparation—these were attempts to test the waters. Later, the group’s developer created a unique set of tools for attacks on card processing and ATMs including Silence— a framework for infrastructure attacks , Atmosphere—a set of software tools for attacks on ATMs, Farse—a tool to obtain passwords from a compromised computer, and Cleaner—a tool for logs removal.

 “Silence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools, tactics, and even the members of the group. It is obvious that the criminals responsible for these crimes were at some point active in the security community. Either as penetration testers or reverse engineers,” says Dmitry Volkov, Chief Technology Officer and Head of Threat Intelligence at Group-IB.

“They carefully study the attacks conducted by other cybercriminal groups, and analyse antivirus and Threat Intelligence reports. However, it does not save them from making mistakes; they learn as they go. Many of Silence’s tools are legitimate, others they developed themselves and learn from other gangs. After having studied Silence’s attacks, we concluded that they are most likely white hats evolving into black hats. The Internet, particularly the underground web, favours this kind of transformation; it is far easier now to become a cybercriminal than 5–7 years ago—you can rent servers, modify existing exploits, and use legal tools. It makes things more complicated for blue teams and much easier for hackers”.

About

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Silence Group, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT Cybercrime Hacking Pierluigi Paganini Security Affairs Silence Silence group

you might also like

Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more
Pierluigi Paganini July 10, 2025
PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    Nippon Steel Solutions suffered a data breach following a zero-day attack

    Data Breach / July 09, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT