The French-speaking threat group, codenamed OPERA1ER, allegedly carried out more than 30 successful cyberattacks against banks, financial services and telecom companies in Africa between 2018 and 2022, where it managed to steal around USD 11 million and possibly caused estimated damage. at USD 30 million.
That is, according to a new report released by Singapore-based cybersecurity firm Group-IB in collaboration with researchers at the Orange CERT Coordination Centre.
The report compiled in 2021 while the threat actor remained active said that one of OPERA1ER's attacks involved a vast network of 400 mule accounts for fraudulent cash withdrawals.
Researchers from Group-IB's European Threat Intelligence Unit identified and contacted 16 affected organizations in order to mitigate the threat and prevent further attacks by OPERA1ER.
According to Group-IB, OPERA1ER noticed its growing interest in its activity and reacted by deleting its accounts and changing some TTPs (tactics, techniques and procedures) to cover its tracks.
“Detailed analysis of the gang's recent attacks revealed an interesting pattern in its modus operandi: OPERA1ER carries out attacks mainly during weekends or holidays. This correlates with the fact that they spend anywhere from 3 to 12 months from initial access to the money theft. It was established that the French-speaking hacking group could operate from Africa. The exact number of gang members is unknown.”, Rustam Mirkasymov, Head of Cyber Threat Research at Group-IB Europe.
Group-IB added that a distinct characteristic of the criminal group is the use of off-the-shelf open source programs, malware freely available on the dark web, and popular red teaming frameworks such as Metasploit and Cobalt Strike.
Mirkasymov added that the pace of development across Africa is picking up and continued investment in the region makes it an increasingly attractive target for cybercriminals.
“Organisations and businesses in Africa, as is the case across the world, need to take the growing threat of cyber-attacks seriously and look to invest in robust threat detection and response solutions. This is all the more relevant because OPERA1ER successfully utilized a ready-to-use toolkit. Using open source tools lowers the barrier of entry for cybercriminals when it comes to the technical skills needed to launch a cyberattack. This means that other would-be cybercriminals can take advantage of the same TTPs, potentially with devastating results.”
