ETDA ThaiCERT
Report
Search
Home > List all groups > Silence, Contract Crew

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Silence, Contract Crew

NamesSilence (Kaspersky)
Contract Crew (iDefense)
Whisper Spider (CrowdStrike)
TEMP.TruthTeller (FireEye)
ATK 86 (Thales)
TAG-CR8 (?)
Country[Unknown]
MotivationFinancial crime
First seen2016
Description(Group-IB) Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.

Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.

Group-IB found several relationships between Silence and TA505, Graceful Spider, Gold Evergreen.
ObservedSectors: Financial, Government, Manufacturing, Pharmaceutical.
Countries: Antigua and Barbuda, Armenia, Australia, Austria, Azerbaijan, Bangladesh, Belarus, Belgium, Belize, Bulgaria, Canada, Chile, China, Costa Rica, Croatia, Cyprus, Czech, Finland, France, Georgia, Germany, Ghana, Gibraltar, Greece, Hong Kong, India, Indonesia, Ireland, Israel, Jamaica, Jordan, Kazakhstan, Kenya, Kyrgyzstan, Latvia, Luxembourg, Malaysia, Mexico, Moldova, Netherlands, Norway, Pakistan, Panama, Poland, Romania, Russia, Saudi Arabia, Serbia, Seychelles, Singapore, South Korea, Spain, Sri Lanka, Sweden, Switzerland, Taiwan, Thailand, Turkey, UAE, UK, Ukraine, USA, Uzbekistan, Vietnam.
Tools usedAtmosphere, Cleaner, EmpireDNSAgent, Farse, Ivoke, Kikothac, Meterpreter, ProxyBot, ReconModule, Silence, TinyMet, xfs-disp.exe, Living off the Land.
Operations performedJun 2016Silence: Moving into the Darkside
<https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf>
May 2018Silence 2.0: Going Global
<https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf>
May 2019‘Silence’ hackers hit banks in Bangladesh, India, Sri Lanka, and Kyrgyzstan
The only incident that is currently public is one impacting Dutch Bangla Bank Limited, a bank in Bangladesh, which lost more than $3 million during several rounds of ATM cashout attack.
<https://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/>
Jan 2020New financially motivated attacks in Western Europe traced to Russian-speaking threat actors
<https://www.group-ib.com/media/silence_ta505_attacks_in_europe/>
Information<https://securelist.com/the-silence/83009/>
<https://reaqta.com/2019/01/silence-group-targeting-russian-banks/>
<https://newsroom.accenture.com/news/accenture-report-reveals-new-cybercrime-operating-model-among-high-profile-threat-groups.htm>
MITRE ATT&CK<https://attack.mitre.org/groups/G0091/>
Playbook<https://www.fortinet.com/blog/threat-research/silence-group-playbook.html>

Last change to this card: 15 May 2020

Download this actor card in PDF or JSON format

Previous: Siesta
Next: Sima

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key