Names | Silence (Kaspersky) Contract Crew (iDefense) Whisper Spider (CrowdStrike) TEMP.TruthTeller (FireEye) ATK 86 (Thales) TAG-CR8 (Recorded Future) | |
Country | [Unknown] | |
Motivation | Financial crime | |
First seen | 2016 | |
Description | (Group-IB) Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services. Group-IB found several relationships between Silence and TA505, Graceful Spider, Gold Evergreen. | |
Observed | Sectors: Financial, Government, Manufacturing, Pharmaceutical. Countries: Antigua and Barbuda, Armenia, Australia, Austria, Azerbaijan, Bangladesh, Belarus, Belgium, Belize, Bulgaria, Canada, Chile, China, Costa Rica, Croatia, Cyprus, Czech, Finland, France, Georgia, Germany, Ghana, Gibraltar, Greece, Hong Kong, India, Indonesia, Ireland, Israel, Jamaica, Jordan, Kazakhstan, Kenya, Kyrgyzstan, Latvia, Luxembourg, Malaysia, Mexico, Moldova, Netherlands, Norway, Pakistan, Panama, Poland, Romania, Russia, Saudi Arabia, Serbia, Seychelles, Singapore, South Korea, Spain, Sri Lanka, Sweden, Switzerland, Taiwan, Thailand, Turkey, UAE, UK, Ukraine, USA, Uzbekistan, Vietnam. | |
Tools used | Atmosphere, Cleaner, EmpireDNSAgent, Farse, Ivoke, Kikothac, Meterpreter, ProxyBot, ReconModule, Silence, TinyMet, xfs-disp.exe, Living off the Land. | |
Operations performed | Jun 2016 | Silence: Moving into the Darkside <https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf> |
May 2018 | Silence 2.0: Going Global <https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf> | |
May 2019 | ‘Silence’ hackers hit banks in Bangladesh, India, Sri Lanka, and Kyrgyzstan The only incident that is currently public is one impacting Dutch Bangla Bank Limited, a bank in Bangladesh, which lost more than $3 million during several rounds of ATM cashout attack. <https://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/> | |
Jan 2020 | New financially motivated attacks in Western Europe traced to Russian-speaking threat actors <https://www.group-ib.com/media/silence_ta505_attacks_in_europe/> | |
Aug 2022 | Breaking the silence - Recent Truebot activity <https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/> | |
Information | <https://securelist.com/the-silence/83009/> <https://reaqta.com/2019/01/silence-group-targeting-russian-banks/> <https://newsroom.accenture.com/news/accenture-report-reveals-new-cybercrime-operating-model-among-high-profile-threat-groups.htm> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G0091/> | |
Playbook | <https://www.fortinet.com/blog/threat-research/silence-group-playbook.html> |
Last change to this card: 27 December 2022
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |