Security researchers discovered that a group of hackers breached multiple banks in 25 plus countries worldwide, including Bangladesh, India, Sri Lanka, and Kyrgyzstan.
According to the research firm Group-IB, a hacker group named Silence is likely behind the recent cyber-attack on the Dutch Bangla Bank Limited in Bangladesh. The attackers apparently scooped more than $3 million in an ATM cash-out attack that occurred in May 2019, the ZDNet reported.
Group-IB stated the Silence group has been active since 2016 and previously attacked banks in Russia, former Soviet states, and Eastern Europe. It’s said that the hacker group appears to have deployed a malicious code, named Silence malware, on the bank’s network to run malicious commands on hosts and allegedly used the access to orchestrate fund withdrawals from the bank’s ATMs, according to the security researcher Rustam Mirkasymov at Group-IB.
“Group-IB has the ability to actively track cybercriminals’ infrastructure of this and other financially motivated cybercriminal groups. This all gives us visibility to indefinitely confirm that an infected machine inside the bank’s network was communicating with Silence’ infrastructure,” said Mirkasymov. “In this case, we discovered that Dutch Bangla Bank’s hosts with external IPs 103.11.138.47 and 103.11.138.198 were communicating with Silence’s C&C (185.20.187.89) since at least February 2019.”
Describing the hacker group Dmitry Volkov, the Chief Technology Officer and Head of Threat Intelligence at Group-IB, said, “It appears that the cybercriminals responsible for these crimes were at some point active in the security community. Either as penetration testers or reverse engineers. They carefully study the attacks conducted by other cybercriminal groups and analyze antivirus and Threat Intelligence reports. Many of Silence’s tools are legitimate, others they developed themselves and learn from other gangs. The Internet, particularly the underground web, favors this kind of transformation; it is now far easier to become a cybercriminal than 5–7 years ago.”
Multiple banks and other financial companies in several West African countries have suffered from different hacking attacks, which are underway since mid-2017. According to a report published by Symantec, financial institutions in Cameroon, Congo (DR), Equatorial Guinea, Ghana, and the Ivory Coast have been hit by multiple cyber-attacks in 2017 and 2018. Symantec stated the intruders who are behind these attacks were unknown.
Symantec stated that it has detected four distinct hacking campaigns targeted against financial firms in Africa. The first attack started in mid-2017 and has infected computers with a malware known as NanoCore (Trojan.Nancrat). The second type of attack began in late 2017, in which cybercriminals used malicious PowerShell scripts and credential-stealing tool Mimikatz (Hacktool.Mimikatz) to exploit their targets.
The third attack was targeted at banks in Ivory Coast using a malware called Remote Manipulator System RAT (Backdoor.Gussdoor), alongside Mimikatz and two custom Remote Desktop Protocol (RDP) tools. The fourth attack started in December 2018. The intruders used a malware known as Imminent Monitor RAT (Infostealer.Hawket) to attack banks in Ivory Coast. Symantec stated that all the four attacks were discovered through alerts generated by its Targeted Attack Analytics (TAA), which uses artificial intelligence to analyze and spot targeted attacks.