The most dangerous hacker groups in the world. The most famous hackers and their attacks

All tips

From the evil programmer and James Bond's nemesis in GoldenEye to the biggest cybercrime in American history, Russian hackers are notorious for their questionable skills. And while hackers from other countries can often be motivated by an ideology, most Russian cybercriminals have developed a reputation as digital pickpockets more interested in wiping out other people's bank accounts than making public statements.

And while it has long been accepted that most hackers are simply crooks, cybercrime is still often admired for the technique and intelligence it brings, creating a heady cocktail of art, science and criminal intent. And while Russian hackers may be less active than their Chinese and Latin American counterparts, the quality of their attacks makes them world leaders in this field. Here are some of the Russian names that have caused panic in the cybersecurity world.

1. Anonymous International

This hacker group is also known as "Humpty Dumpty"(in Western folklore, a similar character is called Humpty-Dumpty). Arguably the most prominent hacker group in Russia at present, Anonymous International has claimed responsibility for a large series of recent cyberattacks and document leaks. Hackers published the personal email archives of several Russian government officials and stole various classified documents (for example, reports on spying on opposition leaders after protests in Moscow). But their most famous act was hacking into Prime Minister Dmitry Medvedev's Twitter account and posting several humorous tweets on his behalf for half an hour while Medvedev's representatives scrambled to regain control of the account. They do not motivate their interest by a thirst for money. However, because the group is so secretive, many still question its methods, motives and moral character. The group’s website contains an archive of stolen files, for which it was blocked by Roskomnadzor. However, it can be viewed using a VPN.

2. Vladimir Levin

Levin, a biochemist from St. Petersburg, is a cult figure in Russian cybercrime and is considered one of the fathers of hacking. In 1994, Levin and a team of accomplices gained access to Citibank and transferred more than $10 million to various accounts in different countries. Levin was promptly caught and convicted in 1998 in the United States. It was a big performance. Levin did not speak English at the time of the crime (he learned the language in prison in America. Apart from computer technology, this was the only skill he mastered), and journalists described him as “something between a hippie and Rasputin.” After Levin was found guilty, various hacker groups from St. Petersburg claimed that they were the ones who gained access to Citibank, which they later sold to Levin for one hundred dollars.

3. Igor Klopov

Klopov's story is similar to American Hustle, but marked by a naive perception of the American Dream. The 24-year-old Moscow State University graduate used the Forbes list of the 400 richest people on the planet to find his targets. Then, in Moscow, he used his laptop to find American accomplices, promising them money, holidays in five-star hotels and limousines. Using what the state prosecutor would later call "a combination of clever and time-tested Internet techniques, such as forging a driver's license," Klopov and his accomplices stole $1.5 million and tried to steal another $10 million, which they were caught doing. Igor Klopov pleaded guilty and was sentenced to prison in 2007.

4. Koobface gang

Unlike most of the other hackers on this list, members of the Koobface (an anagram of Facebook) Gang—all later revealed to be Russians from St. Petersburg—did not attack companies or people directly. Instead, they created a computer worm, which they launched into various social networks (Facebook, Skype, Gmail, Yahoo Messenger and many others) to infect user accounts and steal their personal data. The investigation into the group's crimes shed light on the ingenious systems that left police unable to even estimate the resources needed to understand its activities: "all the proceeds were derived from thousands of individual micro-transactions amounting to no more than a fraction of a penny each." The victims were scattered across dozens of national jurisdictions.” The Koobface worm lured users with links with captions like “You should watch this video!” or “You won’t believe what your friend X said about you!” - a strategy popular among hackers. The worm was discovered and stopped working in 2012, after the names of Koobface Gang members were published in the media.

5. Vladislav Khorokhorin

Hiding under the nickname BadB, Khorokhorin opened two online stores selling data of bank card holders. The commercial features a cartoon BadB in a fur hat selling information about the credit cards of cartoon characters, including George W. Bush and Condoleezza Rice. He ran his illegal business for 8 years before he was detained in 2010 in France. Comments like “RIP BadB” under his promotional video on Youtube only confirm Khorokhorin’s status as a successful hacker. After his arrest, Khorokhorin hired a famous New York lawyer, Arkady Bukh, who specializes in cybercrimes. Bukh claimed that Khorokhorin is not BadB, and in an interview with Forbes said that his client made his millions as a Tesla Motors dealer in Moscow. Tesla, which has never had dealers in Russia, denied this statement. In 2013, Khorokhorin was sentenced to 88 months in prison and ordered to pay $125,739 in restitution.

September 19 is International Pirate Day. The site decided today to tell its readers about the modern colleagues of filibusters - hackers.

To begin with, it is worth defining the meaning of this term. " Hack" - in English once meant a lot of concepts with the general meaning of "to abruptly break something off." There were other nuances. Then “hacking” became simple computer hooliganism.

A “hacker” is a hacker of websites and servers. A person who uses his skills for various, sometimes unseemly purposes. Now this is an industry for some, and a lifestyle for others. The latter prefer to call themselves not “hackers”, but “hackers”; this is a whole international community. They hack networks for fun and often “patch the holes” when they leave. “Clean” hackers not only do no harm, but also bring benefit by pointing out weaknesses in the system. And they often do it selflessly. Sometimes at the request of the network owner himself, who wants to know these weak points.

The most famous hacker attacks in Internet history

Kevin Mitnick and the Pentagon. This American is probably the most famous hacker in the world, largely due to the penchant for eccentric behavior that the idle public expected of him. During his arrest in 1995, Mitnik categorically stated that all he had to do was whistle into a public pay phone to start a nuclear war.

In reality, of course, he could not do anything like that, because, even though he really hacked many protected networks, he did not use any ingenious programs and supernatural codes for this, but banal methods of social engineering: in other words, the human factor. Mitnik used not so much any technical skills as knowledge of psychology and manipulated people, forcing them to give up their passwords.

Mitnik hacked the Pentagon on a computer with a processor less than 2 megahertz

Mitnik began practicing hacking various systems from childhood. It is known that at the age of 12 he found a way to forge bus tickets, which allowed him to travel around the city for free. He then hijacked the voice communications system at a local McAuto's to talk trash to customers.

At the age of sixteen, Mitnick hacked into the network of the Digital Equipment Corporation and stole the software located there: this cost him a year in prison and three years under police supervision. It was during this time that he hacked into Pacific Bell's voicemail system and, after a warrant was issued for his arrest, went on the run.

As a student, Mitnick used a TRS-80 computer to penetrate the global ARPANet network, the predecessor of the Internet, and through a computer at Los Angeles University reached the servers of the US Department of Defense. The hack was recorded, the young cybercriminal was quickly found, and he ended up serving six months in a youth correctional center.Fun fact: he did this on a computer with a processor less than 2 megahertz.

In 1999, FBI agents who caught Mitnick claimed that he had false documents and mobile phones with “cloned” numbers. He was eventually accused of hacking several computer and telephone networks and was sentenced to 46 months in prison, plus 22 months for violating the terms of his probation; Moreover, a joke about a nuclear war cost him eight months in solitary confinement.

Kevin Mitnick was released from prison in 2003 and has since written several books about his hacking achievements. In 2000, the film Track Down was released, based on his biography, written by Tsutomu Shimomura and John Markoff, with Shimomura being a computer systems expert whose computer was hacked by Mitnik. Today Mitnick is 49 years old and runs his own computer security company.

Jonathan James and NASA. American Jonathan James is the first juvenile hacker convicted in the United States of cybercrimes. According to the prosecution, at the age of 15 in 1999, he hacked into the computer system of his own school, the network of the telecommunications company Bell South, and then penetrated the server of the US Department of Defense. Here he intercepted more than three thousand emails from government employees, hacked into a NASA server and stole software designed to control life support systems on the International Space Station.

In 2000, James was arrested, however, due to his young age, he was found guilty of two counts in juvenile court and thereby avoided actual prison time. Instead, he spent six months under house arrest and sent written apologies to the Pentagon and NASA. If James had been two years older, he would have faced at least ten years in prison.

Jonathan James hacked NASA at age 15

Meanwhile, a few years later, Jonathan James began to be suspected of another computer crime: in 2007, the credit card information of millions of customers of the TJX retail chain was stolen, and the Secret Service searched James' home, trying to find evidence linking him to this crime.

Despite the fact that charges were never brought, James was confident that he would go to prison, and (according to the official version) he committed suicide. In the note he left, he stated that he did not believe in the justice system and saw suicide as the only way to maintain control of the situation and avoid punishment for a crime he did not commit. In interviews James gave prior to the theft of TJX customer data, he stated his intention to open his own computer security firm. Instead, at the age of 24, he committed suicide.

Kevin Poulsen and radio station KIIS-FM. Another former hacker who, like Mitnik, changed his occupation to a more secure one. In the eighties, Poulsen specialized in hacking telephone lines and easily manipulated the numbers and channels of different operators. Poulsen first became known under the pseudonym Dark Dante in 1993 after hacking into the telephone control system of Los Angeles radio station KIIS-FM. As a result of skillful line blocking, he became the winner of several competitions and, as the 102nd caller, “won” a Porsche 944 S2.

Poulsen is currently a senior editor at Wired magazine.

Poulsen came to the attention of the FBI after hacking into secret databases containing information on wiretapping. His face appeared in one of the television documentaries Unsolved Mysteries, dedicated to unsolved crimes, but immediately after that, inexplicably, all the NBC telephone lines went out of order, so that no one could get through to identify Poulsen.

Nevertheless, the hunt announced by the FBI bore fruit: one of the supermarket employees recognized Poulsen and blocked him in the store aisle. Kevin was accused of hacking telephone networks and money laundering and was sentenced to five years in prison, after which he was prohibited from touching computers for three years.

After his release from prison in 1998, Poulsen turned to journalism and today serves as senior editor of the online version of the famous computer technology magazine Wired.

Sven Olaf Kamphius and Spamhaus Project. The Dutch-born owner of CyberBunker, which hosted the Pirate Bay, and a prominent figure in the German Pirate Party, was arrested by Spanish police in April 2013 after a series of powerful cyberattacks that some say threatened the entire Internet. The fact is that the already mentioned company CyberBunker and the company CB3ROB, also owned by Kamphius, were hosting not only torrent trackers, but also botnets, spammers and other suspicious enterprises.

Kamphius carried out an attack that threatened the entire Internet

The massive DDoS attack on Spamhaus Project servers came after the computer security firm blacklisted CyberBunker and CB3ROB. In response, Kamphuis announced the creation of the STOPhaus group, which, according to him, included hackers not only from the USA, Canada and Western Europe, but also from Russia, Ukraine and China. According to the prosecution, by multiplying requests through DNS resolvers of different providers, the STOPhaus group managed to flood the Spamhaus Project servers with requests at a speed of more than 300 Gbps, which significantly slowed down the entire Internet.

After his arrest, Kamphuis stated that he had nothing to do with this attack and that he only publicly represented the STOPhaus group, but did not participate in its activities. According to him, the damage from the attack on the Spamhaus Project has been greatly exaggerated. He calls himself an Internet activist and a fighter against censorship and all those who try to control the Internet.

Gary McKinnon and the US Department of Defense. This Scot is the most famous British hacker, whose extradition has been sought by the United States since the early 2000s, where he faces more than 70 years in prison. UK police first became interested in McKinnon in 2002, but thanks to public support and some other circumstances, he is still at large.

In the US, McKinnon is accused of hacking almost a hundred computers belonging to the Department of Defense and NASA in 2001. According to authorities, having gained access to the system, he deleted critical files and effectively paralyzed the US military network for an entire day. Moreover, McKinnon allegedly erased US military data from hacked computers after the September 11, 2001 terrorist attacks and stole some critical information. According to the laws in force in Great Britain, he was only entitled to a six-month sentence for such offenses.

McKinnon himself claimed that he was looking in the computers of the US military for evidence of concealing information from the public about UFOs and other potentially useful technologies. In addition, he stated that he gained access to completely unprotected machines and left numerous records of all the vulnerabilities discovered on those same computers.

A federal court in the US state of Virginia in November 2002 formally charged MacKinnon with seven counts of computer crime, and if the UK had extradited him to the US, the hacker could well have spent his entire life in prison. After the Extradition Act of 2003 came into force, it seemed that the hacker's fate was sealed, but that was not the case. The only thing that has changed is that he was required to report to the police station every day and not leave the house at night.

Sting, Boris Johnson, Stephen Fry spoke out in support of McKinnon

The defense insisted on medical examination of McKinnon, and he was diagnosed with Asperger's syndrome (a form of autism) and clinical depression, which can provoke suicide. On this basis, McKinnon appealed to the European Court of Human Rights, which initially suspended the extradition, but then refused to block it. In 2009, the Supreme Court granted extradition, but public outcry over the case meant it never took place. Many famous personalities spoke out in support of the hacker - from musicians Sting and Peter Gabriel to London Mayor Boris Johnson and actor Stephen Fry.

In October 2012, Home Secretary Theresa May announced that MacKinnon's extradition would be blocked on the grounds that if extradited, the risk to the defendant's life was so great (he could commit suicide) that such a decision would be contrary to human rights. Subsequently, it was decided to abandon criminal prosecution of the hacker in the UK: formally, due to difficulties with evidence located in the United States. Now McKinnon is completely free.

Vladimir Leivn and Citibank. A Russian hacker who withdrew $12 million from the Citibank system in 1994. Most of the money was returned to its rightful owners, but $250 thousand was never found. An interesting fact is that at the time of the crime, in our country there were no articles in the criminal code providing for punishment for cybercrimes, so Levin was extradited to the United States and was in custody for 3 years.

Levin withdrew $12 million from the Citibank system in 1994

Vasily Gorshkov, Alexey Ivanov and Paypal. Russian hackers who were “active Internet users” in the 2000s. These Russian guys were able to hack PayPal, Western Union and much more. In total, the guys hacked 40 American companies in 10 states. In 2003, Gorshkov was sentenced to imprisonment for a period of 3 years and a fine of $700 thousand. And Ivanov was caught and convicted in 2004, sentenced to 4 years in prison. The trial also took place in the United States.

The most famous hacker groups

Lizard Squad

The first mention in the media about Lizard Squad appeared after they hosted servers for the games League of Legends and Call of Duty. This was followed by more serious attacks on Sony Playstation Network and Microsoft Xbox Live. One gets the impression that representatives of this group have a personal dislike for Sony. In August 2014, they even posted a threat on Twitter to blow up a plane carrying the president of Sony Online Entertainment. Fortunately, the aircraft made an emergency landing and there were no casualties.

In addition, Lizard Squad claim ties to the Islamic State. For example, after the attack on Malaysia Airlines, hacktivists published on the company’s website the message “Hacked by Lizard Squad - the official Cyber Caliphate. ISIS will win." And a few months earlier, they placed ISIS flags on Sony servers. However, it is likely that the group’s activities are not politically motivated, and they only need to mention ISIS to attract the attention of the media.

Following the December attacks on PSN and Xbox Live, UK and US law enforcement conducted a major joint investigation which resulted in the arrest of a 22-year-old man from Twickenham and a teenager from Southport, both alleged members of the Lizard Squad.

Anonymous

Anonymous is perhaps the most famous hacker group of all time. This is a decentralized online community consisting of tens of thousands of hacktivists for whom computer attacks are a way of expressing protest against social and political phenomena. The group became famous after numerous attacks on government, religious and corporate websites. She attacked the Pentagon, threatened to destroy Facebook, destroy the Mexican drug cartel Los Zetas and declared war on Scientology.

In 2010, Anonymous organized a large-scale “Operation Payback” campaign, launching attacks on Visa, MasterCard and PayPal systems. The reason is their refusal to make payments to the WikiLeaks site, founded by Julian Assange. In 2011, hacktivists publicly supported the Occupy Wall Street movement against social and economic inequality by attacking the New York Stock Exchange website.

In 2010, Anonymous launched attacks on Visa, MasterCard and PayPal systems

Since 2009, dozens of people have been arrested for their involvement in Anonymous activities in the US, UK, Australia, the Netherlands, Spain and Turkey. Representatives of the group condemn such persecution and call their captured like-minded people martyrs. Hacktivist motto: “We are Anonymous. We are legion. We don't forgive. Wait for us".

LulzSec

LulzSec (abbreviation Lulz Security) is an organization that, “for fun,” carried out attacks on the servers of companies that were considered the most reliably protected. Initially, it consisted of seven members, working under the motto “Laughing at your safety since 2011.” The date was not chosen by chance: in 2011, Anonymous, already famous at that time, carried out a major attack on the HBGary Federal company. Later, this incident topped the ranking of the most notorious cybercrimes according to Forbes magazine. The name of the hacker group is "Lulz" - a derivative of LOL (Laughing Out Loud).

LulzSec's first attacks include the theft of passwords for Fox.com, LinkedIn, and 73,000 X Factor contestants. In 2011, they compromised the accounts of users of the Sony Pictures resource and disabled the official website of the CIA.

After successful attacks, LulzSec traditionally left caustic messages on resources, as a result of which some experts tend to consider them more Internet pranksters than serious cyber warriors. However, the representatives of the group themselves stated that they were capable of more.

In June 2011, LulzSec issued a message announcing its dissolution. However, a month later, hackers launched a new attack - this time on the News Corporation newspaper. They hacked The Sun's website and posted news about the death of its owner Rupert Murdoch on the main page.

The main participants of LulzSec were arrested in 2012. The FBI informant was the 28-year-old leader of the group, Hector Xavier Monsegur, who had the online name Sabu. In his speech, prosecutor Sandeep Patel noted that the hackers were not driven by political ideas like Anonymous, and called them “pirates of our day.”

Syrian Electronic Army

The goal of the Syrian Electronic Army (SEA) hacker group is to support Syrian President Bashar al-Assad. The resources of political opposition groups, human rights organizations and Western news sites most often become targets of attackers.

The nature of the group's connection to the Syrian government remains unclear. On its website, SEA describes itself as "a group of young Syrian enthusiasts who cannot remain indifferent to the widespread misrepresentation of the Syrian uprising." Meanwhile, a number of experts claim that the organization operates under the control of the Syrian government.

Techniques used by SEA include traditional DDoS attacks, spamming, phishing, and virus distribution. They usually post political messages and the Syrian flag on the main page of the attacked site. The Independent, The Daily Telegraph, Evening Standard, The Daily Express, Forbes, Chicago Tribune, CBC, La Repubblica and some other publications have already become victims of Syrian computer scientists. Members of the Syrian Electronic Army also attacked the Facebook accounts of Barack Obama and Nicolas Sarkozy.

Over the past week, many of us have heard for the first time about the hackers from Lizard Squad, who have already managed to claim responsibility for two sensational DDoS attacks: on the Malaysia Airlines website, which began redirecting users to a page with the inscription “404 - plane not found”, and on Facebook, which was unavailable for a full 40 minutes.

Facebook, however, denied rumors of a hacker attack; Instead, the site's malfunction was blamed on developer error. Malaysia Airlines has also already managed to assure users that the site was not hacked, but was simply temporarily transferred to a different domain name.

And yet, who are the Lizard Squad? Just another “hacktivist” trying to convey their political agenda, or a group of teenagers having fun? Do they pose a real threat or are they only strong in name? And what is their place among other hacker groups? Below we will talk about the hackers who have made themselves known most loudly lately.

Lizard Squad gained fame after attacks carried out on major IT companies, including Sony, Microsoft and Facebook. The general public first heard about them in August 2014, when they hacked several online games, including League of Legends and Destiny. They were followed by more significant attacks on Sony's Playstation Network and Microsoft's Xbox Live.

It seems that the hackers have personal scores with Sony. In August 2014, they reported a bomb on board the airliner that one of the company's presidents was supposed to fly on. As a result, the plane made an emergency landing.

In addition, the group hints at its involvement in the Islamic State. During the attack on Malaysia Airlines, they called themselves the “Cyber Caliphate” (also the name of the hacker arm of the Islamic State). Moreover, in August they planted an ISIS flag on Sony servers.

At first glance, Lizard Squad appears to be driven purely by political motives, but it is likely that what is more important to them is to demonstrate the capabilities of their Lizard Stresser service. Thus, claims of links to the Islamic State may be nothing more than an attempt to attract more media attention.

Following the attacks on PSN and Xbox Live, American and British authorities conducted an investigation, which ended with the arrest of a 22-year-old resident of Twickenham and a teenager from Southport (Britain).

Probably the most famous hacker organization, Anonymous is a decentralized association of tens of thousands of “hacktivists” who work together to hack websites as a way of protesting.

The group gained fame after attacks on a number of large political, religious and corporate resources. Their accomplishments include hacking the Pentagon website, threatening Facebook and Los Zetas, a Mexican drug cartel, and declaring war on the Church of Scientology.

In 2010, Anonymous launched Operation Payback after Visa, MasterCard, PayPal and other companies refused to serve WikiLeaks. They also openly supported the Occupy Wall Street movement in 2011 by attacking the New York Stock Exchange website.

Since 2009, numerous people have been arrested on suspicion of involvement with Anonymous in America, the UK, Australia, the Netherlands, Spain and Turkey. However, the organization protests against the persecution, calling those arrested “martyrs of the movement.”

The group's motto reads: "We are Anonymous. Our name is Legion. We don't forgive. We don't forget. Wait for us".

LulzSec (short for Lulz Security) formed shortly after the HBGary Federal hack in 2011 and was originally a subsidiary of Anonymous. The main driving force of the group was seven people who chose the phrase “We've been laughing at your safety since 2011” as their motto.

The group carried out its first attack on Fox.com, stealing several passwords, LinkedIn accounts and the names of 73 thousand X-Factor participants. In 2011, they went further by hacking the CIA website.

LulzSec have become famous for the large organizations they target and the scathing messages they leave on sites after hacks. Some experts regard the organization’s activity more as a prank than a real threat, but the group’s members claim that they are capable of taking more serious steps.

In 2011, the group released a statement, “50 Days of Lulz,” in which they announced their dissolution. However, on July 18, they carried out another attack on newspapers owned by the News Corporation holding company, filling them with fake news about the death of the company's owner, Rupert Murdoch.

In 2012, the FBI arrested the main participants following a denunciation by the group's leader, Hector Monsegur, known under the nickname Sabu. According to prosecutor Sandeep Patel, the hackers lacked Anonymous's political ambitions and imagined themselves as "modern pirates."

The Syrian Electronic Army (SEA) has openly stated that it supports the government of the current Syrian President Bashar al-Assad. Their main target is the political opposition and Western websites, especially news resources and human rights organizations.

The group’s relationship with the Syrian government is not very clear. On its official website, SEA describes itself as “a group of young Syrian enthusiasts who cannot calmly respond to the misrepresentation of the recent uprisings.” Some experts believe that hackers may actually receive government funding.

The main methods of SEA are spam, defacement, phishing and malware distribution. Often, hackers replace a company's web page with messages supporting the current government or an image of the Syrian flag.

The Syrians have already managed to hack the Facebook pages of Barack Obama and Nicolas Sarkozy, as well as the Twitter accounts of news agencies and IT companies. However, the messages they leave after the hack vary greatly in style: some of them are serious and openly political, as well as ironic.

About the discovery of a little-studied hacker group that attacks banks like Cobalt or MoneyTaker.

Grouping

Group-IB experts discovered the first traces of a hacker group called Silence back in June 2016. The report says that at that time cybercriminals were just beginning to try their hand.

One of the first targets of Silence was a bank in Russia, which they tried to attack through the KBR automated workplace (Automated workstation of a client of the Bank of Russia). After which the hackers went silent for a long time. It later turned out that this is standard practice for Silence. They attack selectively, with about three months between incidents, which is three times longer than other groups that specialize in targeted attacks, such as MoneyTaker, Anunak (Carbanak), Buhtrap or Cobalt.

Researchers believe that the reason lies in the extremely small composition of Silence. For the first time in the entire practice of cyber intelligence and cybercrime investigations, Group-IB specialists were faced with such a structure and role distribution in the group. Silence constantly analyze the experience of other criminal groups, try to use new techniques and methods of theft from various banking systems, including automated workstations of the CBD, ATMs, and card processing. In less than a year, the volume of Silence thefts has increased fivefold.

The working version of the experts suggests that only two roles are clearly visible in the Silence team - operator and developer. Probably, the operator is the leader of the group; by the nature of his actions, he is a pentester, well familiar with the tools for conducting penetration tests into the banking infrastructure. This knowledge allows the group to easily navigate inside the attacked bank. It is the operator who gains access to secure systems within the bank and initiates the theft process.

The developer is at the same time a reverse engineer with a fairly high qualification. His academic knowledge of how programs are created does not stop him from making mistakes in the code. He is responsible for developing tools for carrying out attacks, and is also capable of modifying complex and foreign programs. At the same time, for patching, he uses a little-known Trojan that has not previously been encountered by any other group. In addition, he knows ATM operating technologies and has access to malware samples, which are usually contained in the databases of information security companies.

Researchers note that at the beginning of its journey, in the summer of 2016, Silence did not have the skills to hack banking systems and, during its first operations, learned right as the attack progressed. Members of the group carefully analyzed the experience, tactics, and tools of other criminal groups. They constantly tried to put into practice new techniques and methods of theft from various banking systems, including automated workstations of the CBD, ATMs, and card processing.

Skills in reverse engineering and pentesting, unique tools that hackers created to hack banking systems, the choice of an unknown Trojan for patching, as well as numerous erroneous actions confirm the hypothesis that the Silence background is most likely legitimate. At least one of the hackers worked (or continues to work) for a company specializing in information security.

Like most financially motivated APT groups, Silence participants speak Russian, as evidenced by the language of program commands, priorities for the location of rented infrastructure, the choice of Russian-speaking hosters and the location of the criminals’ targets:

Silence Trojan commands are Russian words typed on an English keyboard:

htrjyytrn > reconnect > reconnect;
htcnfhn > restart > restart;
ytnpflfybq > notasks > notasks.

Goals

The group's main targets are also in Russia, although phishing emails were also sent to bank employees in more than 25 countries. Successful Silence attacks are limited to the CIS countries and Eastern Europe, and the main targets are in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan. However, isolated phishing emails were also sent to bank employees in more than 25 countries of Central and Western Europe, Africa and Asia: Kyrgyzstan, Armenia, Georgia, Serbia, Germany, Latvia, Czech Republic, Romania, Kenya, Israel, Cyprus, Greece, Turkey , Taiwan, Malaysia, Switzerland, Vietnam, Austria, Uzbekistan, Great Britain, Hong Kong and others.

The chronology of Silence attacks is as follows:

2016, July- an unsuccessful attempt to withdraw money through the Russian system of interbank transfers AWP KBR. The attackers gained access to the system, but the attack failed due to improper preparation of the payment order. The bank stopped the suspicious transaction and responded on its own, trying to eliminate the consequences of the attack. This led to a new incident.
2016, August- a new attempt to hack the same bank. Just a month (!), after the failure with the CBD workstation, hackers regain access to the servers of this bank and make a second attempt to attack. To do this, they downloaded a program to secretly create screenshots of the user’s screen and began to study the work of operators using a pseudo-video stream. This time the bank decided to involve Group-IB experts to respond to the incident. The attack was thwarted. However, it was not possible to restore the full chronology of the incident, since when trying to clean the network on their own, the bank’s IT service deleted most of the traces of the attackers’ activity.
2017, October- the first known successful case of withdrawal of money by this group. This time Silence attacked ATMs. In one night they managed to steal 7,000,000 rubles. That same year, they carried out DDoS attacks using a Perl IRC bot, using public IRC chats to control the Trojans. After an unsuccessful attack through the interbank transfer system in 2016, criminals no longer tried to withdraw money through it, even with access to the KBR automated workplace servers.
2018 February- successful attack through card processing: over the weekend, the attackers managed to withdraw 35,000,000 rubles from cards through ATMs of a bank partner.
2018, April- within two months the group returns to the previous scheme and withdraws money through ATMs. They manage to “carry out” about 10,000,000 rubles in one night. This time, the programs created by Silence have been improved: unnecessary functions and previous errors have been removed.

Tools and infrastructure

According to Group-IB, during the first operations, Silence hackers used other people's tools and learned literally as the attack progressed. However, over time, they moved from using other people's tools to developing their own and greatly improved their tactics.

In their first operations, cybercriminals patched someone else's little-used Kikothac backdoor. They chose a Trojan known since November 2015, the reverse and implementation of the server part of which did not require much time. The use of someone else's backdoor suggests that the group began work without prior preparation, and the first operations were only an attempt to test their strength.

Later, criminals developed a unique set of tools for attacks on card processing and ATMs, which includes self-written programs:

Silence is a framework for attacking infrastructure.
Atmosphere is a set of programs for “gutting” ATMs.
Farse is a utility for obtaining passwords from an infected computer.
Cleaner is a tool for removing remote connection logs.

Borrowed tools:

Smokebot is a bot for carrying out the first stage of infection.
A modified Perl IRC DDoS bot based on the Undernet DDoS bot to carry out DDoS attacks.

The operator carries out attacks from a Linux machine using the WinExe utility (Linux analogue of PSExec), which can launch programs on a remote host via the SMB protocol. Once established on the system, the Silence Trojan installs stagerMeterpreter on the infected system. To access compromised computers, cybercriminals use RAdmin, a program that in some banks is installed by administrators themselves to remotely manage workstations.

The servers rented by attackers for carrying out phishing attacks are located in Russia and the Netherlands. For command centers, they use hosting services from Ukraine, which allows the placement of almost any content, including prohibited information, malicious applications and files. Also, several Silence servers were rented from MaxiDed, whose infrastructure was blocked by Europol in May 2018.

Initially, the group used hacked servers and compromised accounts to send phishing emails, but later the criminals began registering phishing domains and creating self-signed certificates for them.

To bypass email filtering systems, they use DKIM and SPF. Letters are sent on behalf of banks that do not have SPF configured, from rented servers with spoofed headers. The attackers composed full, literate texts for the letters and sent them on behalf of bank employees to increase the chance of the attack being successful.

The email attachment contained exploits for MS Office Word with decoy documents CVE-2017-0199, CVE-2017-11882 + CVE-2018-0802, CVE-2017-0262, as well as CVE-2018-8174. In addition to exploits, emails were sent with attached CHM files, which is quite rare, as well as with .LNK shortcuts that launch Powershell scripts and JS scripts.

“Silence in many ways changes the idea of cybercrime: by the nature of the attacks, tools, tactics and even the composition of the group, it is obvious that behind these crimes are people who, in the recent past or present, are engaged in legal work - pentests and reverse engineering,” comments Dmitry Volkov, technical director and head of cyber intelligence at Group-IB. “They carefully study the activities of other cybercriminals, analyze reports from antivirus and Threat Intelligence companies, which does not prevent them from making many mistakes and learning right along the attack. A number of Silence tools are legitimate, others were developed by them themselves, taking on board the experience of other groups. While studying the activities of Silence, we assumed that this was most likely an example of whitehat becoming blackhat. The Internet, especially its underground part, opens up many opportunities for such metamorphoses; it is much easier to become a cybercriminal today than 5-7 years ago: you can rent servers, modify existing exploits, and use legal utilities. This makes the work of forensic experts much more difficult, but makes it much easier to take the path of a hacker.”

On October 13, it was announced that hackers had hacked the Twitter account of Hillary Clinton campaign chief John Podesta, calling on him to vote for Republican rival Donald Trump. Clinton's campaign has been attacked before. It is believed that Russian hackers were behind the hacking of computer systems this summer.

On June 27, 2016, a group of OurMine hackers hacked the account of the CEO of Google Inc. Sundar Pichai on Quora. It is also assumed that on September 13, it was Russian hackers who hacked the computer systems of the World Anti-Doping Agency (WADA). From the information received, the world learned that American athletes took doping with the permission of doctors. To date, the latest known attack is related to the hacking of the Russian Foreign Ministry website on October 23. The hacker who hacked the site wrote: “Quit it.”

There are a huge number of hackers who use their deep knowledge of computer systems for completely different purposes. For example, in 2014, hackers from the Lizard Squad attacked Microsoft and Sony, which prevented millions of players from playing their games online.

Other hackers steal databases of user account data, as happened in September 2014, when scammers stole the data of 500 million users from the Internet company Yahoo. Some hackers sit in their garages with laptops and steal bank card information for easy money, while others get paid and help employers protect themselves from other hackers.

One of the most famous hackers of our time, Edward Snowden, worked for the US National Security Agency and took part in a program to spy on millions of Americans. However, a sense of justice prevailed, and Snowden told the world about all the crimes of the NSA. Older hackers, tired of such a life, are engaged in consulting companies and ordinary people on computer security issues.

In 2010, it became known that alleged American or Israeli hackers launched the Staxnet virus into the computer network of Iranian nuclear power plants and uranium enrichment plants. The virus sabotaged the operation of centrifuges that are used to enrich uranium ore so that it would later be possible to create fuel for nuclear power plants. Today, Iran is improving relations with the outside world and is going through the process of lifting economic sanctions. This is not least due to anonymous hackers on the government payroll. Your attention -top of the world's most active hacker groups.

Bureau 121

There is tragically little information about the North Korean hacker group Bureau 121. It is known that these people are part of the North Korean army and carry out tasks for the state related to theft and retrieval of information, as well as protecting the country's computer systems from foreign hackers. North Korean hackers also attack other countries, in particular South Korea. South Korean gaming services, websites of government agencies, leading companies, and banks are under attack.

It is assumed that specialists from Bureau 121 took part in attacks on the servers of the Japanese company Sony in November 2014.

The North Korean state is known to recruit young hackers at the North Korean University of Automation. The group consists of about 1,800 young people who operate around the world, including outside North Korea. The need to operate outside the country's borders is explained by North Korea's extremely weak information infrastructure.

Chaos Computer Club (CCC)

Chaos Computer Club is a very old hacker group. It was founded back in 1981 by German hackers. Today it is a very large network that unites mainly German-speaking hackers.

For the first time, the group consulted legal experts before their attacks to ensure their actions were legal.

This suggests that these people have their own specific code of conduct. Their legality strategy was partly what ensured the group's survival for such a long period of time. However, not everyone in this huge group acted entirely within the law, because the CCC is a largely disorganized group.CCC hackers became famous in the 1980s when they notified the Deutsche Bundespost (formerly the German postal company) that their computer systems were not secure enough, making them an easy target for early self-interested hackers. The Deutsche Bundespost provider arrogantly declared that everything was fine. CCC activists proved the ISP wrong when they stole DM 134,000 from postal accounts. The money was returned the day after the attack.

Morpho

Morpho or "Wild Neutron" is a well-funded group of high-profile hackers who have carried out contracts for pharmaceutical, investment and technology companies since 2011.

However, they are not a government group because their activities usually involve stealing insider information for money.

The structure of Morpho is very interesting. Morpho includes many small groups that use high-end software and technology. Their networks are dispersed, they use Bitcoin to pay their hosting provider, and they use many complex virtual machines.

Syrian Electronic Army

The Syrian Electronic Army (SEA) is a group of hackers that sympathizes with the Syrian government and is also associated with Iran and the terrorist group Hezbollah. Often their attacks are aimed at sabotaging Western media. SEA hackers also use their knowledge to search for rebels and opposition forces.

SEA specialists are very inventive. For example, with one tweet they sent from President Obama's Twitter account, they briefly brought down the Dow Jones index on the New York Stock Exchange.

Hackers wrote that President Barack Obama was injured in a bomb explosion at the White House. SEA also tweeted on behalf of the BBC account that Saudi weather stations were damaged by a collision with a camel. Computer security experts speculate that the SEA hackers may be from Iran, as they are well versed in colloquial English and humor. Probably all Iranians understand these issues, since experts make such conclusions.

Anonymous

Anonymous is the most famous group of hackers on the Internet. Mostly made up of Americans. The organization began on the 4chan forum in 2003 and has since grown into a fairly serious force on the Internet. As a universal symbol, they use the conventional image of the hero of English history, Guy Fawkes, which was generated by the fantasy of the creators of the comic book “V for Vendetta.” The structure of Anonymous is decentralized - the organization did not stop its work and attacks even when many participants were arrested. Many of Anonymous's actions were liberal or anti-state. Activists advocate for the abolition of government control of the Internet and censorship.

Anonymous's most famous actions are related to the fight against child pornography and the Church of Scientology.

Anonymous has no leader, it is a collective mind. This is due to the fact that one single person is the weak link in any system, and it is especially dangerous if this person gives in. Because of his ego, vanity and self-interest, many may suffer. Anonymous is first and foremost an idea. This idea has allowed this organization to exist for so long.

Tarkh Andishan

Tarkh Andishan is the Iranian government's response to the Staxnet virus attack. After this incident, the Iranian state realized the real danger of cyber threats. In this regard, it was decided to modernize the Iranian network shield. Modernization took two paths: a network fighting unit called Tah Andishan was created, as well as Ajax, which was formed from existing hacker activists in the country.The most famous action of the Ajax group was called “Operation Saffron,” in which hackers tried to gain access to sensitive American defense industry data through a phishing attack.

Tarkh Andishan, in the minds of ordinary people, are extremely dangerous terrorists, since they, like action movie heroes, have gained access to terminal gate control systems at airports in South Korea, Pakistan and Saudi Arabia.

This attack allowed them to deceive airport security systems by replacing people's personal data. Tarkh Andishan hackers also hacked industrial facilities of oil and gas companies and the telecommunications infrastructure of various organizations.

Dragonfly

Dragonfly is a state-sponsored group of hackers from Russia and Eastern Europe. Their main targets are electrical networks, the energy industry, and the command systems of European and US states. Dragonfly is designated as an always-active threat.Dragonfly activists introduced Trojan horses into legally distributed software for industrial control systems, which is very similar to the Staxnet virus. This malware can disrupt the operation of many industrial and infrastructure facilities, which makes the Dragonfly group an extremely dangerous enemy.

APT28/ Fancy Bear / Sofacy / Pawn storm / Sednit

A group of hackers that, according to experts, operate primarily from the Russian time zone at the behest of the Russian government. The goals of the organization are of interest to Russia, and when working, the hackers of this organization use very modern and high-quality methods, as the recent hack of WADA proved.At one time, hackers hacked the systems of NATO, the Polish government, various Georgian ministries and the computer systems of the OSCE. It is noteworthy that hackers are active in territories where the US Extradition Treaty does not apply.