{ "id": "4864d52a-6026-4841-84b2-e9e661e52f41", "created_at": "2026-04-06T00:08:37.355652Z", "updated_at": "2026-04-10T03:35:29.052092Z", "deleted_at": null, "sha1_hash": "73a9554626fde9e3b23fc2e2e2d33ef3394a61bf", "title": "New Silence hacking group suspected of having ties to cyber-security industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1222752, "plain_text": "New Silence hacking group suspected of having ties to cyber-security industry\r\nBy Written by Catalin Cimpanu, ContributorContributor Sept. 5, 2018 at 4:01 a.m. PT\r\nArchived: 2026-04-05 19:55:14 UTC\r\nGroup-IB\r\nAt least one member of a newly uncovered cybercrime hacking group appears to be a former or current employee\r\nof a cyber-security company, according to a new report released today.\r\nThe report, published by Moscow-based cyber-security firm Group-IB, breaks down the activity of a previously\r\nunreported cyber-criminal group named Silence.\r\nAccording to Group-IB, the group has spent the last three years mounting silent cyber-attacks on financial\r\ninstitutions in Russia and Eastern Europe.\r\nThe group went undetected for years, mainly because of its predisposition for using legitimate apps and tools\r\nalready found on victims' computers, in a tactic known as \"living off the land.\"\r\nBut Silence also created their own tools, such as:\r\nSilence-- a framework for infrastructure attacks;\r\nAtmosphere--a set of software tools for attacks on ATMs;\r\nFarse--a tool to obtain passwords from a compromised computer;\r\nCleaner--a tool for logs removal.\r\nThese tools, coupled with the group's lay-low tactics helped it go under the radar for far longer than many of its\r\ncounterparts.\r\nhttps://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/\r\nPage 1 of 4\n\nSee also: Windows utility used by malware in new information theft campaigns\r\nFollowing a year-long investigation into the group's modus operandi, Group-IB says the group has been linked to\r\nhacks going as far back as 2016.\r\nThe first recorded hack attributed to Silence took place in July 2016. The hack was a failed attempt to withdraw\r\nmoney via the Russian inter-bank transaction system known as AWS CBR (Automated Work Station Client of the\r\nRussian Central Bank).\r\n\"Hackers gained access to the system, but the attack wasn't successful due to improper preparation of the payment\r\norder. The\r\nbank's employees suspended the transaction,\" Group-IB explained in its report.\r\nHowever, the bank's remediation efforts weren't up to par, and Silence regained access to the same bank's network\r\na month later, in August 2016. This time, they took another approach.\r\n\"[Silence] downloaded software to secretly take screenshots and proceeded to investigate the operator's work via\r\nvideo stream. This time, the bank asked Group-IB to respond to the incident. The attack\r\nwas stopped. However, the full log of the incident was unrecoverable, because in an attempt to clean the network,\r\nthe bank's IT team deleted the majority of the attacker's traces,\" Group-IB said.\r\nBut the Silence group didn't stop after these initial clumsy hacking attempts. They did manage to hack into a bank\r\nand finally steal some money, more than a year later, in October 2017.\r\nAccording to Group-IB, the group stopped attempting to wire money using the AWS CBR system and switched to\r\ntargeting the bank's ATM control systems, making ATMs spew out cash (known as jackpotting) at desired hours.\r\nInvestigators say that Silence stole over $100,000 during their first successful cyber-heist. Other hacks following\r\nthe same pattern were later discovered and traced back to the Silence group in the following months, such as the\r\ntheft of over $550,000 in February 2018, and another $150,000 in April 2018.\r\nSee also: FIN6 returns to attack retailer point of sale systems in US, Europe\r\nThe group is nowhere as successful as other criminal groups known to target financial institutions, such as Cobalt,\r\nBuhtrap, or MoneyTraper, all linked to multi-million dollar heists.\r\nThe reason, according to Group-IB experts, is that Silence is only a two-man operation --hence, they don't have\r\nthe same vast human resources to throw at their targets as other groups do.\r\nThis is the reason why it took them more than a year to develop the Atmosphere malware they used in the 2017\r\nand later ATM money-dispensing attacks.\r\nsilence-attacks.png\r\nTimeline of Silence attacks and tools\r\nGroup-IB\r\nhttps://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/\r\nPage 2 of 4\n\nBut it was when Group-IB researchers analyzed the group's entire malware arsenal that they discovered that\r\ndespite being a two-man group, Silence was actually pretty good at what it did.\r\nResearchers say the group was very efficient at crafting spear-phishing emails. These spear-phishing emails used\r\nexploits for the following Windows and Office vulnerabilities CVE-2017-0199, CVE-2017-11882+CVE-2018-\r\n0802, CVE-2017-0262, CVE-2017-0263, and CVE-2018-8174.\r\nThe exploits implanted the Silence modular malware framework on victim's systems. The group would use locally\r\ninstalled tools for reconnaissance and lateral movement, and would only deploy Atmosphere when they knew they\r\ninfected the proper computer that ran ATM-specific software.\r\nWhen needed, the group would also manually modify malware developed by other crooks, such as the Kikothac\r\nbackdoor, the Smoke downloader, or the Undernet DDoS bot.\r\nGroup-IB says that these modifications to third-party malware are what led its researchers to reach the conclusion\r\nthat at least one of the Silence group members used to, or still works, in the cyber-security industry.\r\nsilence-members.png\r\nGroup-IB\r\nGroup-IB codenamed the Silence group's members as The Developer and The Operator. They say the former\r\ndeveloped or modified all the group's malware, while the latter was the one using them to infect banks and carry\r\nout the hacks.\r\nThe Developer, in particular, showed advanced knowledge of malware families and reverse engineering skills, but\r\nlacked the knowledge to write top-quality code from scratch --a typical trait of most security researchers, who\r\nspend most of their time reverse engineering other people's code, rather than writing their own.\r\n\"It is obvious that the criminals responsible for these crimes were at some point active in the security community.\r\nEither as penetration testers or reverse engineers,\" said Dmitry Volkov, Chief Technology Officer and Head of\r\nThreat Intelligence at Group-IB.\r\n\"[The Developer] knows exactly how to develop software, but he does not know how to program properly.\"\r\nSee also: This malware disguises itself as bank security to raid your account\r\nAs for Silence's origin, Group-IB believes the two are based either in Russia or another Russian-speaking country.\r\n\"Group-IB experts concluded that Silence is a group of Russian-speaking hackers, based on their commands\r\nlanguage, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus,\r\nAzerbaijan, Poland, and Kazakhstan),\" the Russian cyber-security firm said today in a press release.\r\n\"Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the\r\nemployed backdoor. The hackers also used Russian-language web hosting services.\"\r\nGroup-IB did not share the names of the hacked banks but only said that \"successful attacks currently have been\r\nlimited to the CIS and Eastern European countries,\" although the group sent spear-phishing emails to banks all\r\nhttps://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/\r\nPage 3 of 4\n\nover the world.\r\nSource: https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/\r\nhttps://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/" ], "report_names": [ "new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-10T02:00:03.131218Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434117, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/73a9554626fde9e3b23fc2e2e2d33ef3394a61bf.pdf", "text": "https://archive.orkl.eu/73a9554626fde9e3b23fc2e2e2d33ef3394a61bf.txt", "img": "https://archive.orkl.eu/73a9554626fde9e3b23fc2e2e2d33ef3394a61bf.jpg" } }