Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

French-Speaking Cybercrime Group Stole Millions From Banks

A French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years, according to a new report published by cybersecurity firm Group-IB.

A French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years, according to a new report published by cybersecurity firm Group-IB.

The threat actor is tracked by Group-IB as Opera1er. Some of its activities were previously investigated by others, who have named it Common Raven, Desktop-Group, and NXSMS.

The cybersecurity company is aware of 30 successful attacks conducted between 2019 and 2021 — in many cases the same victim was attacked multiple times. Most of the attacks targeted African banks, but the list of victims also includes financial services, mobile banking services, and telecoms firms. Victims were spotted across 15 countries in Africa, Latin America and Asia.

Group-IB has confirmed the theft of $11 million from victims since 2019, but believes the cybercriminals could have made more than $30 million.

Opera1er attacks typically start with a spear-phishing email sent to a limited number of people within the targeted organization. The goal is to obtain access to domain controllers and banking back-office systems.

Once they gained access to an organization’s systems, the hackers waited for 3-12 months before actually stealing money. In the final phase of the operation, the cybercriminals used the banking infrastructure to transfer money from the bank’s customers to mule accounts, from where they would be withdrawn at ATMs by money mules, typically over weekends and public holidays.

“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”

Opera1er does not appear to rely on any zero-day vulnerabilities or custom malware. They have been leveraging old software flaws and widely available malware and tools.

Advertisement. Scroll to continue reading.

Group-IB’s analysis found that most of the attackers’ emails were written in French — the company’s researchers determined that their English and Russian is “quite poor”.

Based on the oldest domain registered by the group, Opera1er has been active since at least 2016.

Related: Millions Stolen From Russian, Indian Banks in SWIFT Attacks

Related: U.S Banks Required to Report Cyberattacks to Regulators Within 36 Hours

Related: France Breaks Up International ATM ‘Jackpotting’ Network

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

Chris Burger has been named Chief Information Security Officer at F5.

Bedrock Security has appointed George Gerchow as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.