Mediteraneo - stock.adobe.com

Silence APT group eyes APAC banks

Russian-speaking advanced persistent threat group has set its sights on banks in the region, customising its arsenal for targeted attacks

A Russian-speaking advanced persistent threat (APT) group has extended its reach into Asia-Pacific, taking off with millions of dollars of stolen funds from banks in the region.

Called Silence, the APT group has conducted one of its biggest reconnaissance campaigns aimed at South Korea, Taiwan, Malaysia, Singapore and other neighbouring countries, according to a new report by Singapore-based cyber security firm Group-IB.

One of Silence’s most recent successful campaigns in APAC took place in Bangladesh in May 2019, when the Dutch-Bangla Bank reportedly lost $3m that was withdrawn from its ATM machines by masked men believed to be linked to the group.

The Bangladesh heist was not the first time APAC banks have been targeted by the group. In November 2018, Silence reportedly sent nearly 80,000 reconnaissance emails to individuals across Asia, with at least 2,352 intended for recipients in Singapore, a regional economic powerhouse that has become an attractive target for financially motivated hackers.

In its latest report, Group-IB charted the group’s evolution from a “small, young, cyber crime group with prehistoric tools” that launched attacks mainly in the post-Soviet states and neighbouring countries, to an APT group that is posing threats to banks worldwide.

Group-IB first described Silence’s tactics, techniques and procedures (TTPs) in a September 2018 report, noting that the group made up for its lack of experience in hacking bank systems by studying and customising the approaches of other groups to suit its needs.

For example, it used a borrowed backdoor, Kikothac, to test the water before developing a unique set of tools to launch attacks on card-processing systems and ATM machines. It even developed its namesake framework for carrying out infrastructure attacks.

Like any APT group, Silence has been refining its arsenal amid greater scrutiny of its operations by security researchers. Its reconnaissance emails, for example, often contain a link without a malicious payload, a tactic aimed at obtaining valid email addresses for future attacks.

Read more about cyber security in APAC

In March 2019, Group-IB detected a new tool in Silence’s arsenal – a previously unknown PowerShell trojan used during lateral movement and to control compromised systems by performing tasks through the command shell and tunnelling traffic using the DNS protocol.

“It would be no exaggeration to say that Silence can be viewed as a new threat to banks and financial organisations all over the world, and Asia in particular,” said Rustam Mirkasymov, head of dynamic malware analysis at Group-IB.  

“The region’s dynamic growth has made it a highly desirable target for cyber criminals, who spare no efforts in improving their techniques to complicate their detection.

“Since our original report was released, the confirmed damage from their operations has increased significantly. The growing threat posed by Silence and its rapid global expansion prompted us to make both reports publicly available in order to help cyber security specialists detect and correctly attribute Silence’s worldwide attacks at an early stage.”

According to the Financial Services Information Sharing and Analysis Centre (FS-ISAC) H1 2019 Asia-Pacific cyber threat review, attacks on payment systems and third-party service providers, as well as system vulnerabilities are some of the greatest concerns faced by Asia’s banks and financial institutions this year.

Brian Hansen, executive director at FS-ISAC APAC, said cyber attackers are now spending more time on preparation and reconnaissance to ensure their attacks are successful.

“These actors are also increasing collaboration on the dark web, selling and seeking services that can be used against financial institutions,” he added. “With these groups banding together, it is imperative for financial institutions in Asia to embrace information sharing.”

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close