Updated on 2022-11-04: OPERA1ER group hits African banks for $30 million
Over the past decade, banks have not escaped the rising tide of ever-increasing sophisticated cyberattacks, and many of them have been hacked and lost billions of US dollars in serious intrusions, with the most famous threat actors that pulled off successful bank heists including the likes of Carbanak and the Lazarus Group North Korean APT.
The common thread across all recent major bank cyber-heists was that they usually targeted organizations in North America and Europe before attackers switched their targeting to Asia and Latin America. But as banks elsewhere have seriously upgraded their network defenses, threat actors are now turning their eyes toward Africa, a region that has been left relatively unscathed in previous years.
According to a joint report published this week by security firm Group-IB and Orange’s CERT team, a French-speaking cybergroup group tracked as OPERA1ER (also known as Common Raven or the DESKTOP-group) has been wreaking havoc across the continent for four years, between 2018 and 2021.
Researchers said they linked the group to 35 intrusions at different organizations across 15 countries, with most of the attacks targeting African banks.
Group-IB and Orange researchers said that while the group used basic phishing attacks and off-the-shelf remote access trojans to gain an initial foothold in their victim’s networks, OPERA1ER has exhibited both restraint and patience.
Some intrusions lasted months, as the group moved laterally across bank systems while they observed and mapped the internal network topology before springing their attack.
Rustam Mirkasymov, Head of Group-IB’s Threat Research in Europe, told that the group typically waited and sought to identify and compromise bank systems that handled money transfers.
Once they reached these sensitive systems, the group would work with a network of around 400 money mules to orchestrate a coordinated transfer of funds from bank accounts to mule accounts, with the money mules withdrawing the stolen funds from their accounts via ATMs in a coordinated ATM cash-out before bank employees could react.
Mirkasymov said they linked OPERA1ER intrusions to bank heists totaling $11 million, but the group is suspected of stealing more than $30 million, although not all incidents have been formally confirmed.
A French-speaking hacker group, named OPERA1ER, has been targeting banks, telecoms, and financial services in Asia, Latin America, and Africa for the last four years, concluded Group-IB. Read more: OPERA1ER: Playing god without permission