A French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years, according to a new report published by cybersecurity firm Group-IB.
The threat actor is tracked by Group-IB as Opera1er. Some of its activities were previously investigated by others, who have named it Common Raven, Desktop-Group, and NXSMS.
The cybersecurity company is aware of 30 successful attacks conducted between 2019 and 2021 — in many cases the same victim was attacked multiple times. Most of the attacks targeted African banks, but the list of victims also includes financial services, mobile banking services, and telecoms firms. Victims were spotted across 15 countries in Africa, Latin America and Asia.
Group-IB has confirmed the theft of $11 million from victims since 2019, but believes the cybercriminals could have made more than $30 million.
Opera1er attacks typically start with a spear-phishing email sent to a limited number of people within the targeted organization. The goal is to obtain access to domain controllers and banking back-office systems.
Once they gained access to an organization’s systems, the hackers waited for 3-12 months before actually stealing money. In the final phase of the operation, the cybercriminals used the banking infrastructure to transfer money from the bank’s customers to mule accounts, from where they would be withdrawn at ATMs by money mules, typically over weekends and public holidays.
“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”
Opera1er does not appear to rely on any zero-day vulnerabilities or custom malware. They have been leveraging old software flaws and widely available malware and tools.
Group-IB’s analysis found that most of the attackers’ emails were written in French — the company’s researchers determined that their English and Russian is “quite poor”.
Based on the oldest domain registered by the group, Opera1er has been active since at least 2016.
Related: Millions Stolen From Russian, Indian Banks in SWIFT Attacks
Related: U.S Banks Required to Report Cyberattacks to Regulators Within 36 Hours
Related: France Breaks Up International ATM ‘Jackpotting’ Network