A new Russian threat group called Silence has been discovered by security researchers that has been silently mounting attacks on banks and financial institutions across Russia and Eastern Europe since 2016. The hacker group is believed to have targeted financial entities across 25 countries.
According to security experts at Group-IB, who discovered Silence and its attacks, one of the threat group’s members is either a current or former employee of a cybersecurity firm. After the Cobalt group’s activities died down, Silence seems to have taken up the mantle to become the next major threat to Russian and international banks.
“Silence is an example of a mobile, small, and young group that has been progressing rapidly. Confirmed thefts by Silence increased more than fivefold from just 100 000 USD in 2017 to 550 000 USD in less than a year,” Group-IB researchers said in a post. “For more than two years, there was not a single sign of Silence that would enable to identify them as an independent cybercrime group.”
Silence’s nature of attacks indicate that the group’s first attacks were amateurish, but the hackers have learned and evolved with time. The group became more popular from August 2017, adopting TTPs from other cybercriminal and APT groups.
The hackers have also developed their own tools to leverage in new campaigns.
“They carefully study the attacks conducted by other cybercriminal groups, and analyse antivirus and Threat Intelligence reports. Many of Silence’s tools are legitimate, others they developed themselves and learn from other gangs,” Dmitry Volkov, Group-IB CTO and head of threat intelligence, said in a statement. “The Internet, particularly the underground web, favours this kind of transformation; it is now far easier to become a cybercriminal than 5–7 years ago.”
Silence uses a combination of borrowed and custom tools and techniques to conduct attacks. In August 2017, the group began conducting attacks against ATMs.
In one attack, the group stole $100,000 from ATMs in just one night. In 2018, Silence began launching supply chain attacks against card processing systems, raking in around $550,000 in just one weekend.
Like most other cybercriminal groups, Silence also uses phishing emails. However, the group initially used hacked servers and compromised accounts to conduct its campaigns. The group designs well-crafted emails that generally pose to be coming from bank employees.
“To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers to use as C&C servers. A number of servers were rented at MaxiDed, whose infrastructure was blocked by Europol in May 2018,” Group-IB researchers said.
“Silence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools, tactics, and even the members of the group. It is obvious that the criminals responsible for these crimes were at some point active in the security community,” Volkov said. “After having studied Silence’s attacks, we concluded that they are most likely white hats evolving into black hats.”