Based on a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in recent years.
Group-IB has identified the threat actor as Opera1er. Others have previously investigated some of its activities, naming it Common Raven, Desktop-Group, and NXSMS.
The cybersecurity firm is aware of 30 successful attacks carried out between 2019 and 2021, with many of the victims being attacked multiple times.
The majority of the attacks targeted African banks, but victims also included financial services, mobile banking services, and telecommunications companies. Victims were discovered in 15 countries across Africa, Latin America, and Asia.
Group-IB has confirmed stealing $11 million from victims since 2019, but believes cybercriminals may have stolen more than $30 million. The typical Opera1er attack begins with a spear-phishing email sent to a small number of people within the targeted organisation. Access to domain controllers and banking back-office systems is the goal.
The hackers waited 3-12 months after gaining access to an organization's systems before stealing money. The cybercriminals used the banking infrastructure in the final phase of the operation to transfer money from bank customers to mule accounts, from which it was withdrawn at ATMs by money mules, typically on weekends and public holidays.
“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”
There does not appear to be any zero-day vulnerabilities or custom malware used by Opera1er. They have exploited old software flaws as well as widely available malware and tools. The majority of the attackers' emails were written in French, according to Group-analysis, IB's and their English and Russian are "quite poor."
