French-speaking hackers steal at least $11M from banks

Threat actor dubbed OPERA1ER carried over 30 attacks, netting no less than $11 million from dozens of organizations.

OPERA1ER, a French-speaking threat actor uncovered by cybersecurity firm Group-IB, carried out dozens of successful attacks, primarily against banks, financial services, and telecommunication companies in Africa.

According to the researchers, the gang behind OPERA1ER stole at least $11M. However, the latter number is considered a conservative estimate as the amount of stolen wealth may be as high as $30M.

The attack operators have developed a vast network to withdraw stolen cash. For example, one attack involved a network of 400 mule accounts to facilitate fraudulent withdrawals.

The researchers discovered that OPERA1ER’s attacks started in 2018 and continued well into 2022. Affected organizations operate in Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo, and Argentina.

“Many of the victims identified were successfully attacked twice, and their infrastructure was then used to attack other organizations,” researchers said.

Off-the-shelf tools

Threat actors behind the operation used malware and hacking tools found on the dark web in tandem with red teaming software such as Cobalt Strike and Metasploit.

“Because the gang relies solely on public tools, they have to think outside the box: in one incident […] OPERA1ER used an antivirus update server deployed in the infrastructure as a pivoting point,” researchers said.

The hackers behind the operation are also in no rush. According to the report, threat actors infect the victim’s system for three months to a year before proceeding to the actual theft.

The time in systems is spent collecting internal documentation to use in further phishing attacks. Threat actors also studied how banks move money around to cash out stolen funds without ringing alarm bells.

Researchers claim that the operators extensively researched their victims, as most of them used a complex three-tiered digital money platform. To compromise those systems, the operators had to have extensive knowledge about key people and operations.

“The gang could have obtained this knowledge directly from the insiders or themselves by slowly and carefully inching their way into the targeted systems,” researchers said.