A group of hackers specialized in attacking banks has hit again, and this time they’ve breached four targets in Asia, respectively in Bangladesh, India, Sri Lanka, and Kyrgyzstan, security researchers from Group-IB have told ZDNet.
The only incident that is currently public is one impacting Dutch Bangla Bank Limited, a bank in Bangladesh, which lost more than $3 million during several rounds of ATM cashout attack that took place during the month of May, according to local media reports.
In a report shared with ZDNet prior to publication, Group-IB tied the Dutch Bangla Bank incident to a group of hackers known as “Silence.”
The group, which ZDNet previously covered in a September 2018 piece, has been active since 2016 and has historically targeted banks in Russia, former Soviet states, and Eastern Europe.
According to Rustam Mirkasymov, Head of Dynamic Analysis of Malicious Code at Group-IB, this is the first time the group has ventured into Asia.
Mirkasymov told ZDNet that Group-IB has been able to tie the Dutch Bangla Bank hack to Silence’s server infrastructure.
“Group-IB has the ability to actively track cybercriminals’ infrastructure of this and other financially motivated cybercriminal groups,” he told ZDNet in an email. “This all gives us visibility to indefinitely confirm that an infected machine inside the bank’s network was communicating with Silence’ infrastructure.”
“In this case, we discovered that Dutch Bangla Bank’s hosts with external IPs 18.104.22.168 and 22.214.171.124 were communicating with Silence’s C&C (126.96.36.199) since at least February 2019,” Mirkasymov told ZDNet in an email.
According to the researcher, the group appears to have deployed the eponymously named Silence malware on the bank’s network, with modules for running malicious commands on infected hosts and setting up proxy servers to disguise malicious traffic.
The group appears to have used this access to orchestrate coordinated funds withdrawals from the bank’s ATMs.
How these attacks occurred is currently unknown. A YouTube video unearthed by local media shows two men (later identified as Ukrainians) visiting Dutch Bangla Bank ATMs, making a phone call, and then withdrawing large sums of money. ATM cashouts using Dutch Bangla Bank ATMs occurred on May 31, but before that, crooks also used cloned cards with the data of Dutch Bangla Bank customers to withdraw money from ATMs in Cyprus, Russia and Ukraine.
This suggests the Silence group might have used their access to the bank’s network to facilitate and allow large ATM cashouts without triggering alerts, most likely by deploying their custom-built Atmosphere malware on systems that ran ATM-specific software.
Group-IB said Silence did hit banks in three other countries — India, Sri Lanka, and Kyrgyzstan — but could not disclose their names. (Courtesy ZDNet)