In August 2017, the National Bank of Ukraine warned state-owned and private banks across the country about a large-scale phishing attack. The threat actor used an exploit from the arsenal of the state-sponsored hacker group APT28. However, the tool, as Group-IB discovered, was modified to target banks. It also appeared that the authors of the phishing emails had in-depth knowledge of reverse engineering.

At the time, the National Bank of Ukraine linked the attack with a new wave of NotPetya ransomware outbreak, but these were not pro-government hackers. Initial impressions would indicate that the targeted attack was on par with the works of Cobalt or MoneyTaker. This hypothesis went unproven. On investigation, the adversaries were a young and active hacker group, who, like young smart technical specialists, learned very fast and from their own mistakes.

The new threat actor group was eventually named Silence. They were identified and named first in reports by Anti-Virus vendors, however, until the publication of this report, no detailed technical analysis of Silence or their operations has been conducted.

Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as — Anunak, Corkow, Buhtrap — usually managed botnets using developed or modified banking Trojans. Silence is different. Even at the beginning of their journey, in the summer of 2016, Silence was not able to hack banking systems and actually seemed to learn on the job by carefully analyzing the experiences, tactics and the tools of other groups. They tried new techniques to steal from banking systems, including AWS CBR (the Russian Central Bank's Automated Workstation Client), ATMs, and card processing.

From circumstancial analysis over two years of attacks, it appears that Silence group members have worked or are currently working in legitimate information security activities. The group has access to non-public malware samples, patched Trojans available only to security experts and also TTP changes suggest that they modify their activity to mimic new attacks and red teaming activity.

Group-IB researchers were tracking Silence throughout this period and conducting response following incidents in the financial sector. During this monitoring period a phishing email was sent to CERT-GIB (Computer Emegency Response Team
of Group-IB). This was analysed and confirmed to be from Silence. Challenge accepted, Group-IB engaged.

This report details the results of our investigation, review of attacks and thefts by Silence, analysis of their tools, tactics and procedures used to target financial institutions. This report serves as a contribution to the Whitehat Security community from Group-IB and provides technical descriptions of the methods and technologies that can be used to detect and track this group. We have also included a detailed analysis of the toolset created by Silence and associated Indicators of Compromise (IoC), YARA and IDS rules.

Group-IB detected the first incidents relating to Silence in June 2016. At that time, the cyber criminals were just beginning to test their capabilities. One of Silence's first targets was a Russian bank, when they tried to attack AWS CBR. After this, the hackers "took a moment of silence". It was later discovered that this is standard practice for Silence. They are selective in their attacks and wait for about three months between incidents, which is approximately three times longer than other financially motivated APT groups, like MoneyTaker, Anunak (Carbanak), Buhtrap or Cobalt.

The reason for this is that Silence is a small group. In years of cyber intelligence and investigations, it is the first time that Group-IB has encountered this kind
of structure and role-based group. Silence members constantly analyze the experience of other criminal groups. They try to apply new techniques and ways of stealing from various banking systems, including AWS CBR, ATMs, and card processing. In a short period of time they studied not only direct types of hacking, but also supply-chain attacks. In less than a year, the amount of funds stolen by Silence has increased five times.

Our hypothesis is that the Silence team has two clear roles: the Operator and the Developer. Presumably, the Operator is the group leader. He acts like a penetration tester, who has in-depth knowledge of the tools for conducting penetration testing on banking systems. This knowledge allows the group to navigate easily inside the bank. It is the Operator who gains access to protected systems inside the bank and then conducts the theft.

The Developer is a qualified reverse engineer. His advanced reverse-engineering skills do not prevent him from making mistakes while programming. He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software. That said, he patched a little known Trojan that had not previously been employed by other groups. In addition, the Developer has sufficient knowledge of ATM processes, systems and has access to non-public malware samples, which are usually only available to security companies.

A distinctive feature of Silence is their untypical role structure and small size. It appears, this Russian-speaking group includes only two members.

As with most financially-motivated APT groups, the members of Silence are Russian speakers, which is evidenced by the language of commands, priorities in locating leased infrastructure, the choice of Russian-speaking hosting providers and location of the targets.

• The commands of Silence's Trojan are Russian words typed using an English layout:
  htrjyytrn > реконнект (reconnect) htcnfhn > рестарт (restart) ytnpflfybq > нетзадач (notasks)
  
• The main targets are located in Russia, although phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe, Africa and Asia.
  
• To rent servers, Silence uses Russian-speaking hosting providers.

Silence's successful attacks currently have been limited to the CIS and Eastern European countries. Their main targets are located in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan.

However, some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe, Africa and Asia including: Kyrgyzstan, Armenia, Georgia, Serbia, Germany, Latvia, Czech Republic, Romania, Kenya, Israel, Cyprus, Greece, Turkey, Taiwan, Malaysia, Switzerland, Vietnam, Austria, Uzbekistan, Great Britain, Hong Kong, and others.