Ransomware suspicions indicate a change in ‘modus operandi’ by Silence and TA505

Russian cybergangs have launched attacks against the manufacturing sector

A notorious group of Russian-speaking cybercriminals have broadened their horizons beyond local banks and financial institutions to target manufacturing firms in western Europe.

At least two companies operating in pharmaceutical and manufacturing sectors in Germany and Belgium fell victim to cyber-attacks traced back to the financially motivated Silence and TA505 groups, according to threat intel firm Group-IB.

“The choice of the targets [is] untypical for Silence [which] could mean that this was either a ransomware attack or these companies were compromised as part of a complex supply chain attack,” according to Group-IB.

The attacks were carried out in late January 2020. Group-IB has immediately contacted the (unnamed) victims upon discovery.

After weeks of analysis Group-IB went public with its findings on Friday, March 27.

Block and tackle

Group-IB told The Daily Swig that it was able to block the attack before it came to a successful conclusion.

“As soon as we discovered the ongoing attack and identified the victims, we immediately contacted them before the attackers moved to the final phase,” Rustam Mirkasymov, head of the dynamic malware analysis department at Group-IB, explained.

“So, no ransomware traces were detected. But based on the choice of the targets, we’ve made an assumption that ransomware installation was likely their goal.”

“The fact that tools used in the attacks are related to two financially-motivated threat actors contributes to the theory,” he added.

Mirkasymov went on to suggest that attacks are evidence of a change in “modus operandi” by the notorious group of cybercriminals.

“In order to establish the perpetrators with high confidence, incident response activities are required,” he said. “The use of ransomware is indeed very odd for Silence as well as the choice of the targets.

“If Silence are the ones to blame, this would indicate a significant shift in their modus operandi. TA505, whose custom packer was detected this time, were involved in ransomware attacks in the past,” Mirkasymov concluded.

Cybercriminal associates

Group-IB attributes the attacks to Silence and TA505 because of the use of packing utilities and malware previously deployed in historic attacks linked to the groups.

TA505 allegedly provided access to a compromised bank’s network to the Silence gang, one aspect of the close business relationship said to exist between the two groups.

The alleged connection between Silence and TA505 was described in Group-IB’s recent report Silence 2.0: Going Global.

RELATED ‘Expertise is clearly lacking’ – CEPOL boss on why the EU needed a cybercrime academy