Cyber Incident Victim: NCC Bank
Date:
May 2019
Location:
Bangladesh
Summary
A cyberattack targeting multiple banks in Bangladesh, including NCC Bank, resulted in at least $3 million stolen via unauthorized ATM transactions facilitated by remote-controlled cash dispensing. The Silence group, a financially motivated threat actor with Russian-speaking operatives, was attributed to the attack using malware families like Silence.Downloader and Silence.ProxyBot to compromise systems and communicate with a command-and-control server. While one bank confirmed financial losses, others reported thwarting the theft. Ukrainian money mules were arrested after withdrawing funds via ATMs manipulated by attackers, with evidence suggesting prolonged network compromise preceding the heist. The incident marked Silence's expansion beyond its previous focus on Russian targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2019, three Bangladeshi private banks—Dutch Bangla Bank Limited (DBBL), NCC Bank, and Prime Bank—were targeted in a coordinated cyberattack involving unauthorized ATM cash withdrawals totaling at least $3 million. The incident came to light when Visa, the payment solution provider, requested settlement payments for suspicious client transactions processed in Cyprus. While DBBL confirmed financial losses, NCC Bank and Prime Bank publicly stated they had thwarted the attackers' attempts, though the article does not specify technical or operational measures taken by these two institutions to prevent losses. On May 31, 2019, Ukrainian law enforcement arrested six individuals acting as money mules, including one captured on video withdrawing cash from an ATM while communicating via phone with a remote operator controlling the dispense mechanism. The mules executed withdrawals across nine ATMs, stealing approximately $19,000 before their apprehension.
Cybersecurity firm Group-IB attributed the attacks to the Silence hacking group, citing infrastructure overlaps and tactical consistencies with the group’s known operations. The attackers maintained access to DBBL’s systems since at least February 2019, communicating with a command-and-control server at IP 103.11.138.198. Malware variants identified in the campaign included Silence.Downloader (TrueBot) for remote command execution, Silence.MainModule (MD5: fd133e977471a76de8a22ccb0d9815b2) for file exfiltration, and Silence.ProxyBot (MD5: 2fe01a04d6beef14555b2cf9a717615c) for traffic redirection. Attack methodologies involved either compromising the bank’s ATM network to deploy jackpotting malware (Atmosphere toolkit) or manipulating card processing systems to alter transaction limits—both techniques previously documented in Silence operations. The prolonged network access period aligned with the group’s pattern of conducting extended reconnaissance prior to executing financial theft. This incident marked Silence’s first known expansion beyond Russian targets, indicating an evolution in their geographic targeting strategy.