2 min Security

‘Cybercriminals stole $30M in multi-year international crime spree’

‘Cybercriminals stole $30M in multi-year international crime spree’

A French-speaking cybercrime ring is said to have hauled off $30 million from fifteen countries over five years.

The threat actor dubbed OPERA1ER has been linked to a series of more than 30 successful cyberattacks aimed at banks, financial services and telecom companies across Africa, Asia, and Latin America between 2018 and 2022.

The group has made off with a confirmed haul of $11 million, and an estimated total fraud gain of $30 million, according to the researchers at Group-IB. The difference between the two figures is due to the fact that many victim organizations have not confirmed they have been hacked.

“Analysis of the attacks shows that most start with spear phishing emails carrying Remote Access Trojans (RATs) and other tools to collect user credentials”, the researchers wrote. “The spear phishing emails were highly targeted, with content tailored for specific audiences of as few as 18 people. The stolen credentials were used to gain administrator privileges on the domain controllers and the banking back-office systems.”

Using off-the-shelf tools and utilities

From initial access, the average dwell time was three to twelve months, Group-IB says. At the end of that period, money would be stolen. During this time the threat actor would study the victims’ network, often using well-known tools and vulnerabilities.

Through analysis of the attacks, Group-IB discovered that vulnerabilities as old as three years had been utilised by OPERA1ER, and in at least one case, an antivirus update server within the network had been used as a pivot point to compromise other systems.

The final phase of the attack would often take place on a weekend. OPERA1ER would utilise banking infrastructure to fraudulently transfer money from the bank’s customers’ accounts to mule accounts. Mules hired by OPERA1ER would conduct ‘cash out’ exercises, withdrawing money from numerous ATMs.

The banks, telecom companies and other institutions hit during OPERA1ER’s cyber spree span at least fifteen countries: Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo and Argentina.