A French-speaking cybercrime group pulled off a series of heists over the past four years, netting perhaps as much as $30 million from firms in Africa, Asia and Latin America.
Using a combination of high-quality spear phishing and off-the-shelf tools, the group has carried out more than 30 attacks targeting banks, financial services and telecommunications firms, according to research on the group’s activities published Thursday.
Dubbed “OPERA1ER,” the group works its way into various accounts, gains control of them and then moves money into accounts it controls, before cashing out primarily through ATM withdrawals, researchers with the cybersecurity firm Group-IB concluded in a report shared with CyberScoop.
As an example of the group’s sprawling operations, one of the attacks utilized what the report described as a “vast network of 400 mule accounts” — accounts controlled by money mules hired to cash out stolen funds.
The report’s findings offer a detailed look at the tools used by a criminal group to successfully steal millions of dollars from banks over a span of several years — highlighting worries from top financial leaders that cybercrime is one of the industry’s biggest threats. According to Rustam Mirkasymov, head of cyberthreat research at Group-IB Europe, OPERA1ER remains active.
Since 2007, there have been approximately 200 known cyber incidents targeting banks and financial institutions, with some of the more recent attacks targeting cryptocurrency exchanges, according to data compiled by the Carnegie Endowment for International Peace. Last year, Federal Reserve Chairman Jerome Powell warned that “cyber risk” represents a top threat to financial institutions.
OPERA1ER’s activities demonstrate the global nature of this risk. The group has successfully targeted banks and other institutions in at least 15 countries: Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo and Argentina, according to Group-IB’s findings.
The researchers began tracking the cybercrime group in 2019 after a series of targeted attacks on financial organizations in Africa, the researchers said. By the following year, the researchers were able to attribute the attacks to a single group. By 2021, the researchers were prepared to publish their findings on the group but held back, believing that the group noticed it was being watched and began trying to cover its tracks.
“At that moment we really risked losing them from our sight,” Group-IB wrote in their report. “To avoid being outfoxed this way, the Group-IB team decided to suspend publishing our report and wait until their deep-seated greediness will nudge them into coming out.”
In recent years, security researchers have tracked various aspects of the group’s activity. Starting in 2019, Tom Ueltschi, a Swiss security researcher, began publicly identifying information related to a group he called “DESKTOP-Group,” including email headers, malware hashes and command and control details. In 2020, the Dubai-based cybersecurity firm Rewterz shared hashes from a file used by a group it tracked as “Common Raven.” In 2021, SWIFT, the messaging system used by banks for international transactions, published a bulletin on activity connected to the group.
In August 2022, a Group-IB researcher identified a new Cobalt Strike server, an adversary emulation tool that is one of the many off-the-shelf tools used by OPERA1ER, that was linked to the group, which led the researchers to discover an additional five attacks across four countries that occurred after the initial research was completed. The August discovery led to updated information on domains and several new IP addresses tied to the group, along with fingerprints pointing to past OPERA1ER tools.
Thursday’s report, carried out together with researchers at French telecom giant Orange, ties together these various threads and provides a portrait of a group that has been attacking its victims since 2016, often hitting the same victims twice and using their infrastructure to attack other organizations.
The attackers would find their way into networks and wait between three and 12 months before stealing any money, using that time to identify key people within the financial organizations, to study the protections in place to prevent fraud, and to understand the back-end platform operations and cash withdrawals. The attackers netted at least $11 million from their attacks but may have made off with nearly three times that amount.
At at least two of the victim banks, the attackers successfully gained access to the banks’ SWIFT messaging interface, which communicate details of financial transactions. The researchers stress that SWIFT itself was not compromised in the attacks. A spokesperson for SWIFT’s did not immediately return a request for comment.
Group-IB’s European Threat Intelligence Unit identified and reached out to 16 affected organizations to mitigate the attacks and prevent further activity, the researchers said. “Group-IB has long-standing partnerships with law enforcement agencies, and we shared our findings with financial organizations, identified victims and all partners,” Mirkasymov said.