Cybercrime: OPÉRA1ER, a French-speaking hacker network extracts over $ 11 million from African banks

Crime today represents an unprecedented challenge for banks in terms of information system security, business continuity and data protection. Indeed, cyber attacks pose a serious threat to banking institutions. In a report released by Group-IB, SocialNetLink found that 30 banks were attacked between 2018 and 2022.

Called OPERA1ER, the report on cyber attacks against financial institutions mainly in Africa reveals the fragility of some banking institutions. World leader in cybersecurity headquartered in Singapore, Group-IB in collaboration with CERT Orange researchers examined the actions by OPERA1ER. It is in fact a network of French-speaking hackers with financial motivations.

An 11 million dollar jackpot

The objective of this study covered by SocialNetlink is to explore the offensives in detail: “The band, equipped only with” ready-to-use “tools, has succeeded in more than 30 attacks against banks, financial services institutions and telecommunications operators mainly based in Africa between 2018 and 2022 “.

The report indicates that the amount of the earnings of OPERA1ER are confirmed at least at 11 million dollars according to estimates. According to the same source, one of OPERA1ER’s attacks relied on a large network of 400 mule accounts opened to withdraw money from this fraud. During this period, the researchers of the unit IB Group European Threat Information identified and contacted 16 interested organizations to help them contain the threat and prevent future OPERA1ER attacks.

The hackers’ modus operandi is to “use only public tools”. OPERA1ER therefore used an antivirus update server distributed in the attacked infrastructure as a pivot point (ed).

This report was finalized second Group-IB in 2021, the year the gang was still active. Alerted by Group-IB’s growing interest in its activities, OPERA1ER has begun to cancel its accounts and modify its TTPs in order to cover its tracks. Group-IB has decided to postpone the publication of this report, preferring to wait for the reappearance of the attacker, which happened in 2022. Consequently, the report also contains the related indicators of compromise (IoC) in the period 2019-2021.

Furthermore, other elements suggest that OPERA1ER was able, in at least two banks, to access the SWIFT messaging interface (presumably Alliance Access) running on the banks’ computers. The software is used to communicate the details of financial transactions. Note that SWIFT was not compromised, although the attackers managed to break into the systems of the banks where the software was installed.

“In one of the banks, hackers took control of an SMS server, which could be used to bypass anti-fraud devices or to withdraw money via payment systems or mobile banking services. However, we do not know whether the attacker managed to steal money during these attacks, “the report reads.

For the first time, Group-IB details all of OPERA1ER’s tactics, techniques and procedures, as well as the tools and kill chain identified during the various gang incident investigations. Singapore-based Group-IB is a leading provider of solutions dedicated to cyber attack detection and prevention, online fraud identification, cybercrime investigation and intellectual property protection. The company’s threat intelligence and research centers are spread across the Middle East (Dubai), Asia Pacific (Singapore) and Europe (Amsterdam).

Leave a Comment