• Tuesday, May 24, 2022
  • Last Update : 04:24 pm

Report suggests Russian hacker group behind DBBL heist

  • Published at 12:24 am July 6th, 2019
web-atm fraud
Three of the six arrested ukranians who were caught from Hotel oilo Dream Heaven in Panthapath on Saturday, June 1, 2019 Nuruzzaman Labu

In a report, titled 'Bangladesh Cyber Heist 2.0: Silence APT goes global,' which was released on Wednesday, Group-IB claimed that the cybercriminal group had carried out the attacks on Dutch Bangla Bank Ltd (DBBL), Prime Bank Ltd and NCC Bank Ltd

A Russian hacker group called "Silence" were likely behind the recent cyberattacks on three private banks in Bangladesh, according to international cyberdefence company Group-IB.

In a report, titled “Bangladesh Cyber Heist 2.0: Silence APT goes global,” which was released on Wednesday, Group-IB claimed that the cybercriminal group had carried out the attacks on Dutch Bangla Bank Ltd (DBBL), Prime Bank Ltd and NCC Bank Ltd.

Silence is an active, though very small, group of Russian-speaking hackers that has attacked bank management systems, card processing systems, and the Russian interbank transfers system. Group-IB first detected their activity in 2016.

“This is one of Silence’s most recent international attacks, which indicates that the gang has expanded its geography and gone global, focusing now on APAC [Asia-Pacific] markets,” said the report.

Group-IB’s findings

According to the report, Silence had been communicating with DBBL’s host servers since February 2019 at the latest.

During the latest attack, culprits likely used Trojan malware to covertly execute remote commands and download files from the compromised server, allowing them to redirect traffic from a hidden node to a back connect server via a compromised computer.

Once they gained access to the bank’s infrastructure, Silence went on to withdraw the money, which was captured by a DBBL booth CCTV camera.

“The money could have been stolen in one of two ways: the hackers could have either compromised the bank’s card processing system or used the custom Atmosphere software, a set of tools used for ATM jackpotting,” the report suggested.

Jackpotting refers to exploiting hardware of software vulnerabilities in ATM systems.

Rustam Mirkasymov, head of Dynamic Analysis of Malicious Code at Group-IB, said in the report: “Having tested their tools and techniques in Russia, Silence has gained the confidence and skill necessary to be an international threat to banks and corporations. Asia particularly draws cybercriminals' attention.

“DBBL is not its first victim in the region. In total, we are aware of at least four targets Silence has attacked in Asia recently,” Mirkasymov stated.

According to Group-IB, the gang’s targets are mainly located in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan, although phishing emails have been sent to bank employees in Central and Western Europe, Africa and Asia.

Forensic report on Silence's involvement due

A police official close to the investigation said they were aware of the report, but could not reach any conclusion at the moment.

Wishing not to be named, the official said: “It is quite difficult to comment right now. We are waiting for the forensic report. Once the report is ready, everything—including who were behind the theft—will be clear.”

DBBL spokesperson Sagir Ahmed said they had not heard of the report yet.

“However, since the investigation has already found involvement of Russians with the theft, it can be true,” he said, adding that they could not be sure before going through the report.

The case in brief

In late May, a group of foreigners withdrew Tk3 lakh from a DBBL ATM booth. Although CCTV footage showed that two of the foreigners withdrew the money, surprisingly no account of that transaction was recorded in the bank server.

Later, police arrested six Ukranian nationals in this connection.

In the case of DBBL, criminals in Cyprus, Russia, and Ukraine stole around $1.4 million from the bank’s teller machines using cloned credit cards and personal identification numbers (PINs)  in the beginning of May.

Similarly, hackers stole around $400,000 million using Prime Bank's cloned card from Cyprus, but the bank denied any such stealing.

An NCC Bank official confirmed to Dhaka Tribune that they had also faced cyberattacks, but avoided any financial loss.

All the private banks, especially those who deal with international credit and debit cards, have been issued notices to keep vigilant regarding foreign nationals, and people with suspicious behavior while stepping into ATM booths.

According to a recent Bangladesh Institute of Bank Management research, the IT departments of around 50% banks of Bangladesh face security threats, as they lack the infrastructure necessary for ensuring network security.

Facebook 50
blogger sharing button blogger
buffer sharing button buffer
diaspora sharing button diaspora
digg sharing button digg
douban sharing button douban
email sharing button email
evernote sharing button evernote
flipboard sharing button flipboard
pocket sharing button getpocket
github sharing button github
gmail sharing button gmail
googlebookmarks sharing button googlebookmarks
hackernews sharing button hackernews
instapaper sharing button instapaper
line sharing button line
linkedin sharing button linkedin
livejournal sharing button livejournal
mailru sharing button mailru
medium sharing button medium
meneame sharing button meneame
messenger sharing button messenger
odnoklassniki sharing button odnoklassniki
pinterest sharing button pinterest
print sharing button print
qzone sharing button qzone
reddit sharing button reddit
refind sharing button refind
renren sharing button renren
skype sharing button skype
snapchat sharing button snapchat
surfingbird sharing button surfingbird
telegram sharing button telegram
tumblr sharing button tumblr
twitter sharing button twitter
vk sharing button vk
wechat sharing button wechat
weibo sharing button weibo
whatsapp sharing button whatsapp
wordpress sharing button wordpress
xing sharing button xing
yahoomail sharing button yahoomail