15 Nov Hacking group stole $11 million from 12 African countries between 2018 and 2022

A new report from Group-IB and Orange CERT revealed that 12 African countries lost millions of dollars to a hacking group between 2018 and 2022.

The threat actor, based in an unknown French. speaking country, mainly targeted Francophone Africa and was codenamed OPERA1ER . It managed to launch over 30 successful attacks against banks, financial services providers, and telecommunication companies between 2018 and 2022, stealing $11 million in the process. However, there are concerns the actual amount obtained could be up to five times higher.

Speaking to Quartz, Rustam Mirkasymov as head of cyber threat research at Group-IB’s European Threat Intelligence & Research Center said: “According to our calculations, the total amount of damage ranges from $30 million to $50 million. However, this could be even more.”

The affected countries are Côte d’Ivoire, Mali, Burkina Faso, Benin, Cameroon, Gabon, Niger, Nigeria, Senegal, Sierra Leone, Togo, and Uganda. The threat group also targeted countries outside of Africa including Argentina, Bangladesh, and Paraguay.

OPERA1ER, which also goes by the names DESKTOP-group and Common Raven, can trace its roots back to 2016 when it registered its first domain. It conducts cyber-attacks over the weekends or during public holidays because according to Mirkasymov: “It is much more difficult to stop fraudulent transactions or stop an attack on these days. Even if someone detects an attempt to withdraw money, during the weekend it is not easy to stop them and get the money back.”

It’s believed OPERA1ER is a seasoned threat actor and once it noticed it was being traced, it deleted its accounts and changed its trails to cover its activity last year. However, it resurfaced this year to continue its cyber attacks.

Mirkasymov explained: “It correlates with the fact that they spend from three to 12 months from the initial access to money theft. The exact number of the gang members is unknown.”

OPERA1ER uses off-the-shelf open-source programs and freely available malware alongside popular red teaming frameworks such as Metasploit and Cobalt Strike to carry out its attacks. The report explained: “In at least two incidents in different banks, the attackers deployed Metasploit servers inside compromised infrastructure. Because the gang relies solely on public tools, they have to think outside the box: in one incident, it used an antivirus update server deployed in the infrastructure as a pivoting point.”

In at least in two bank cases, OPERA1ER managed to get access to the global SWIFT messaging interface software running on the banks’ computers. Though SWIFT was not compromised in the process, it’s thought the attackers were able to break into the systems inside the banks where the software is installed. In 2018, hackers stole $6 million in an attack on the SWIFT system.

Africa as a nation is working on improving its cybersecurity defences, with The African Development Bank granted $2 million to the African Cybersecurity Resource Center (ACRC) for Financial Inclusion last year to tackle cybercrime. In August, Togo, in collaboration with the United Nations Economic Commission for Africa set up a cybersecurity monitoring center in Lome to serve the entire continent.