French-speaking threat actor, codenamed OPERA1ER, is reported to have carried out over 30 successful attacks against banks, financial services, and telecommunication companies mainly in Africa between 2018 and 2022, pilfering a cool US$11-million and possibly causing damage estimated at US$30-million.

This is according to a new report released by Singapore-based cybersecurity firm Group-IB, in collaboration with researchers from Orange CERT Coordination Centre.

The report, OPERA1ER. Playing God without permission, compiled in 2021 while the threat actor remained active, said one of OPERA1ER’s attacks involved a vast network of 400 mule accounts for fraudulent money withdrawals.

Researchers from the Group-IB European Threat Intelligence Unit identified and reached out to 16 affected organisations so they could mitigate the threat and prevent further attacks by OPERA1ER.

According to Group-IB, OPERA1ER noticed its increasing interest in their activity and reacted by deleting their accounts and changing some TTPs (tactics, techniques and procedures) to cover their tracks.

Group-IB decided to suspend publishing the report and wait until the threat actor resurfaced again, which happened in 2022.

Smooth OPERA1ER

Digital forensics artefacts analysed by Group-IB and Orange following more than 30 successful intrusions of OPERA1ER between 2018 and 2022 helped to trace down affected organisations in Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo, Argentina.

Rustam Mirkasymov, Head of Cyber Threat Research at Group-IB Europe, said, “Detailed analysis of the gang’s recent attacks revealed an interesting pattern in their modus operandi: OPERA1ER conducts attacks mainly during the weekends or public holidays. It correlates with the fact that they spend from 3 to 12 months from the initial access to money theft. It was established that the French-speaking hacker group could operate from Africa. The exact number of the gang members is unknown.”

No rush to cash in

(Image: Group-IB)

Group-IB added that a distinct feature of the group is the use of off-the-shelf open-source programs, malware freely available on the dark web, and popular red teaming frameworks, such as Metasploit and Cobalt Strike.

In at least two incidents in different banks, the attackers deployed Metasploit servers inside compromised infrastructure.

“Because the gang relies solely on public tools, they have to think outside the box: in one incident, analysed by Group-IB and Orange, OPERA1ER used an antivirus update server deployed in the infrastructure as a pivoting point,” Group-IB added.

Group-IB and Orange explained that OPERA1ER start their attacks with high-quality spear phishing emails targeting a specific team within an organisation. Most of their messages are written in French, ranging from fake notifications from government tax offices to hiring offers from BCEAO (The Central Bank of West African States).

“Under the guise of legitimate attachment, OPERA1ER distributes Remote Access Trojans, such as Netwire, bitrat, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, Venom RAT, as well as password sniffers and dumpers. After gaining access, OPERA1ER exfiltrate emails and internal documents to use them in further phishing attacks. They take time to study internal documentation carefully to better prepare for the cashing out stage, as most of OPERA1ER’s victims used a complex digital money platform,” the cybersecurity firm stated.

Three-tiered architecture

The platform has a three-tiered architecture of distinct accounts to allow different types of operations. To compromise these systems, OPERA1ER would require specific knowledge about key people involved in the process, protection mechanisms in place, and links between back-end platform operations and cash withdrawals. The gang could have obtained this knowledge directly from the insiders or themselves by slowly and carefully inching their way into the targeted systems.

Digital forensic findings indicate that OPERA1ER harvested credentials for three accounts with different access levels to perform fraudulent operations.

The threat actors targeted operator accounts that contained large amounts of money. Then using the stolen credentials transferred money into Channel User accounts and after that, moved the stolen funds into subscriber’s accounts which they control. Finally, the funds were withdrawn from the system in cash via a network of ATMs.

Other findings indicate that at least in two banks, OPERA1ER managed to get access to the SWIFT messaging interface software (presumably Alliance Access) running on the banks’ computers. The software is used to communicate the details of financial transactions.

Group-IB and Orange emphasised: “It is important to note that SWIFT was not compromised, but the attackers were able to break into the systems inside the banks where this software was installed.”

In one bank, the threat actor took control of an SMS server that could have been used to bypass anti-fraud or cash out money via payment or mobile banking systems. However, it is unknown whether the threat actor managed to steal money in any of those attacks.

Africa attractive target

Mirkasymov added that the pace of development across Africa is ramping up, and the continued investment in the region makes it an increasingly attractive target for cybercriminals.

“Organisations and companies in Africa, as is the case across the globe, need to take the growing threat of cyberattacks seriously, and look to invest in robust threat detection and response solutions. This is all the more relevant given that OPERA1ER successfully utilised an off-the-shelf toolkit. The use of open-source tools lowers the barrier of entry for cybercriminals, when it comes to the technical competencies required to launch a cyberattack. This means that other would-be cybercriminals can harness the same TTPs, potentially with devastating results.”

The Group-IB Europe boss said that in general, the African cyber security field is quite young and it’s fair to say that some organisations are not yet familiar with and fully prepared to face financially-motived persistent threats.

“We’ve seen that in their attacks on even big companies OPERA1ER relies on the exploitation of very old vulnerabilities discovered years ago. This may indicate that local victims’ cybersecurity maturity level is somewhat behind global benchmarks. Saying that, Group-IB is working closely with our African partners and the community in order to reduce the impact of such attacks and help businesses to increase their safety and protection level.”