Russian Silence Hacking Group Targeting Banks Worldwide
Silence APT, an organized hacking group, has sent out over 170,000 phishing emails to develop targets and steal money from financial institutions worldwide as reported by Group-1B cyber security researchers. The hackers’ most recent cyber attack targeted Bangladesh-based Dutch-Bangla Bank. The bank lost over $3 million from a series automated teller (ATM) cash withdrawals during an attack that persisted for several days.
Silence APT hackers begin their attacks by sending two phishing emails. After successful infection the hackers download malware to an infected system and move on to control cash machines. Cyber security researchers from Group-IB stated report that Silence APT compromised banks in India (in August 2018), Russia (February 2019), Kyrgyzstan (May 2019), Russia (June 2019), Bulgaria (July 2019) as well as Chile, Ghana, and Costa Rica. In another attack, Silence stole $150,000 from ATMs in one night.
Silence hackers use a two-stage phishing emails cyber attack vector. The first phishing emails containing images or a link for the reader to click on. The phishing emails do not contain malicious code or attachments and serve to refine the email list of targets. The second spear-phishing email campaign begins the infection. The phishing emails usually contain Microsoft Word documents as attachments. The docs contain macros or exploits, CHM files, and .LNK shortcuts as malicious attachments to infect victims’ machines with backdoors and downloaders. Upon successful infection the hackers manually load TrueBot malware, also known as Silence.Downloader to the users’ system.
What is Silence APT?
Silence APT is a Russian Advanced Persistent Threat (APT) group. Silence hackers target banks and financial institutions to steal money. The hacking group is believed to have been in operation since about 2016.
Silence APT CYBER ATTACK HISTORY
Silence hacking groups’ activities from May 2018 through 1 August 2019 as tracked by Group-IB cyber security specialists. Money mules in Bangladesh were arrested but the attacks still increased in frequency and geographical region. Group IB Threat Intelligence reports on Silence APT groups’ activities are available for download
- 28 May 2018 – An email phishing Russian language campaign sent with Microsoft Word attachment that contained an exploit for CVE-2017-11882 vulnerability. The exploit installs Silence’s loader
- August 2018 – A bank in India was compromised by Silence
- 16 October 2018 – Russian Silence hackers conducted a malicious campaign targeting Russian banks. The emails were sent from info @ bankuco. com
- 18 October 2018 – Silence APT sent a test email campaign to UK financial companies
- 18 October 2018 – Silence sent emails to Russian banks and digitally impersonated a legitimate bank due to the lack of SPF settings
- 25 October 2018 – Silence sent emails from info @ bankuco . com to Russian banks. The emails refer to the opening and maintenance of a correspondent account and were sent from a non-existent bank name
- 15 and 16 November 2018 – Silence sent a large-scale email phishing campaign posing as the Central Bank of the Russian Federation. The goal of the cyber attack was to deliver the second stage of Silence’s Trojan, Silence.MainModule
- 20 November 2018 – A first stage phishing campaign sent to Asian banks
- 25 and 27 December 2018 – A new malicious phishing campaign sent from pharmkx[ . ] group and cardisprom[ . ]ru domains
- 4 January 2019 – Silence attacked financial organizations in the UK containing an attachment signed by SEVA MEDICAL LTD
- 16 January 2019 – For the first time, Silence disguised a malicious attachment. It was a fake invitation to the international financial forum iFin-2019. The attachment contained Silence.Downloader
- February 2019 – Silence hackers compromised another Indian bank
- February 2019 – Silence stole 25 million rubles (about $400,000 USD) Russia’s Omsk IT Bank
- 21 May 2019 – Phishing emails sent out purporting to be from the bank’s client with a request to block a credit card. The emails contained a fileless Trojan, Ivoke backdoor
- 20 June 2019 – Silence attacked banks in Russia
- July 2019 – Banks in Chile, Bulgaria, Costa Rica and Ghana were compromised
What is an Advanced Persistent Threat Group?
Advanced Persistent Threat Groups are organized cyber criminals that hack corporations, governments, organizations, and individuals. Many APT groups work at the behest of a government entity. APT groups have different goals. While some are conducting corporate or political cyber espionage, others steal data, contacts, or money to fund other missions.
APT groups are assigned numbers to help cyber researchers track their activity. They are also given multiple names so as not to offend the governments that sponsor them. The names loosely follow a naming convention associated with each APT groups’ home country. For example, Chinese APT groups are named for Pandas while Iranian hacking groups are named for Persian Cats or oil industry terms. Iranian state-sponsored APT34 is also known as OilRig and HelixKitten. The United States APT group is called Equation Group.