July 2016 — A failed attempt to withdraw money via the Russian system of interbank transactions AWS CBR. Hackers gained access to the system, but the attack wasn't successful due to improper preparation of the payment order. The bank's employees suspended the transaction and conducted Incident Response and remediation using their own resources. This resulted in the subsequent incident described below:
August 2016 — Another attempt to attack the same bank. Just one month (!) after their failure with AWS CBR, Silence regained access to the servers of the bank and attempted another attack. To do this, they downloaded software to secretly take screenshots and proceeded to investigate the operator's work via video stream. This time, the bank asked Group-IB to respond to the incident. The attack was stopped. However, the full log of the incident was unrecoverable, because in an attempt to clean the network, the bank's IT team deleted the majority of the attacker's traces.
October 2017 — The first successful theft by the group that we know about. This time, Silence attacked ATMs and stole over $100,000 in just one night. In the same year, they conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans.
After the failed attempt with the interbank transactions system in 2016, the criminals did not try to withdraw money using the system, even after gaining access to the servers of AWS CBR.
February 2018 — Successful attack using card processing. They picked up over $550,000 via ATMs of the bank's counterpart.
April 2018 — In two months, the group returned to their proven method and withdrew funds again through ATMs. During a single night they siphoned about $150,000. This time, the Silence's tools had been significantly modified: they were not burdened with redundant features and ran stably without bugs.