Picture: 123RF/WBRAGA
Picture: 123RF/WBRAGA

Russian IT security company Kaspersky Labs warns that the infamous Silence Hacking Group has been targeting banks in Sub-Saharan Africa since the beginning of the year with malware designed to steal millions of dollars through seizing control of ATMs.

Kaspersky says the Silence group, understood to be Russian or include Russian-speaking individuals, is one of the most active “advanced persistent threat” actors on the world stage. The organisation, which comprises roughly 10 individuals, has carried out a number of successful campaigns targeting banks and financial organisations around the globe since 2016.

“Our security solutions have been sending us several thousand notifications a day about these samples on the systems of banks in multiple countries in the region, some of which are really big,” says Sergey Golovanov, a security researcher with Kaspersky based in Moscow, who spoke to Business Day on Monday after a warning the company published.

Some of SA’s largest banks, such as Absa and Standard Bank, have substantial operations on the continent.

Absa said it has “not noted any incidents that we can identify as originating from the group/s mentioned in the statement. Criminals constantly attempt to gain access to bank systems. Absa is confident that we have robust systems and strategies in place to protect assets.”

Golovanov said Kaspersky was “not exactly sure how the malware is getting on to the systems, but it can be done in multiple ways, one of which is via phishing campaigns. The malware then seeks to move between computers and is designed to locate servers that are not connected to the internet.”

Phishing campaigns typically involve e-mails sent to staff at banks asking them to click on links, which then deliver the software virus, referred to as malware, to the individual computer. The malware monitors the computer and victim organisation’s systems often by capturing screenshots and making video recordings of day-to-day activity before attempting to move between machines, with the ultimate goal of stealing administration credentials for servers that are not online.

These servers are usually dedicated resources of the banking system that are critical to operations. In the case of ATMs, many banks use Linux systems to administer them. The malware targets servers that send updates and content to the ATMs and in due course infects specific ATMs.

The last leg of the crime entails money withdrawals at ATMs by individuals, or “mules”, at specific times.

“They do not have cards or PINs, they just need to be in the right place at the right time,” says Golovanov, who says the malware often leads to the ATM dispensing all of the cash it holds in 10-15 minutes.

The amount of money that can be stolen depends on how many mules are used. Past experience has shown that 15 mules could access as many as a hundred ATMs in a couple of hours.

Despite IT professionals constantly detecting and destroying malware on bank infrastructure, Golovanov says the Silence is persistent, and extra care needs to be taken by changing passwords.

“They are like predators, they smell the blood and will come back until they rob it.”