Do you remember reports about a Russian cybergang called Silence? They launched successful attacks against a number of Russian and other banks, predominately targeting ATM networks instructing them (probably via compromise of the backend) to dish out cash to mules who would phone up the hacking commander (mwahahaha) from the cashpoint and withdraw the monies, all of the monies.
A full, in depth report of the nefarious activities of Silence was published last year by Russian cyber security firm Group-IB. It makes excellent reading, illustrating the high levels of organisation, tradecraft and at the end of the day, front, that the best of these outfits have in spades.
Group-IB has not been resting on its laurels and has been tracking the activity of these very naughty boys and girls ever since. This week they revealed that Silence has just run a successful operation, again against ATM machines, this time in Bangladesh targeting the Dutch bank Dutch-Bangla, taking them for an alleged 3 meeelion dollars.
The M.O. was very similar. Ukranian (surprise) money mules with faces covered would make a call as they approached the cashpoint, insert a card and take out all the money. The transactions would be approved because Silence had full control of the backend systems.
In fact it appears that this has been months in the planning, with infiltration starting as early as February this year. Group-IB has written the whole thing up with loads of juicy titbits, like the tools used, the command and control servers, the whole kit and caboodle. Have a read.
One US Dollah is equal to 84.5 Bangladeshi Taka which means they must have been running around with something like 253494014 Taka, with the biggest note being a 1000 Taka note, that is about 253,494 banknotes. The mind boggles as to how they carried that lot around, or how they would go about the process of laundering the cash. Surely it can’t be that difficult to locate the perpetrators as they try to get rid of the money.
The problem with the tools used by outfits like Silence is that they are very stealthy and difficult to detect. Old school anti-virus products are pretty much useless and the comms to the C&C servers are encrypted and very difficult to spot.
It is becoming essential to implement a modern endpoint detection and response solution or service and to beef up tooling to look for C&C traffic. The good news is that the eager beavers at ITC are brilliant at these things, probably as cunning as the people at Silence. They would love to hear from you. Contact us at: [email protected] or call 020 7517 3900.