When cybersecurity pros go bad: Silence cybergang makes noise with $800,000 in ATM thefts

A low-profile cybergang appropriately named Silence specializing in ATM bank theft and possibly comprised of two former or current cybersecurity workers has so far stolen more than $800,000 during a two-year-long crime spree.

Group-IB report examining Silence states the group is likely operated by a small cadre of Russian-speakers, most likely just an operator and a developer, who appear to have skills that were developed while working for a legitimate cybersecurity firm. Silence also stayed well under the radar not showing up as an independent criminal organization until recently.

“It is obvious that the criminals responsible for these crimes were at some point active in the security community. Either as penetration testers or reverse engineers, said Dmitry Volkov, Group-IB's CTO and head of threat intelligence, adding, “After having studied Silence's attacks, we concluded that they are most likely white hats evolving into black hats.”

The clues pushing Group-IB to believe Silence's members were once white hats are the member who appears to be the developer has the skills of an experience reverse engineer capable of creating tools to conduct attacks and modify complex exploits and software from outside sources. However, his programming ability is lacking as his software contains errors that are “quite common for virus analyst or reverse engineer.

The operator has pen tester skills and knows how to work through a banking infrastructure and Group-IB believes he uses the toolsets created by his partner to access banking systems.

Silence's first criminal act was spotted in 2016 when it attempted, but failed, to withdraw money from an automated work station client of the Russian Central Bank. Volkov described this initial attack as quite amateurish, but the duo used them as a learning experience.

Using phishing attacks against banks primarily in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan that if successful download a backdoor into the bank's network giving the criminals persistent access. Banks in Central and Western Europe, Africa, and Asia have also been targeted with phishing emails.

“Silence designs very well-crafted phishing emails usually purporting to be from bank employees,” Volkov noted.

The first backdoor used was the off the shelf Kikothac, but has since created its own tools designed to work against card processing and ATM systems.

Not only do the tools work quite well, but Silence quickly learned to switch targets Group-IB has credited Silence with stealing $100,000 during just one night in 2017 with an assault on an ATM system and followed this up in 2018 by implementing a supply chain attack against a card processing system allowing the gang to take $550,000 from ATMs during a single weekend. A few months later they used the same attack scheme to take another $150,000 from ATMs.

Volkov said these totals probably do not reflect all the money Silence has stolen, but only what can definitely be attributed to the group.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.