A gang of French-speaking hackers has managed to aggregate a sum of at least $11 million during their numerous years of malicious operations. A number which could even exceed $30 million, as indicated by a joint investigation conducted by Group-IB and Cert-Orange. From 2018 to 2022, the French-speaking criminal organization (also known as DESKTOP-GROUP, Common Raven, NXSMS) was very active and dangerous, conducting more than 30 raids against banks, financial institutions, and telecoms companies primarily in Africa.
A sophisticated operation dating back to 2016
The criminal group known as Opera1er made headlines in 2019, but it was clear that it started operations back in 2016. The oldest domain related to the group was created that year. When attacking their victims, the cybercriminals used sophisticated phishing emails, mainly in French. They contained malicious files or linked to Google Drive pages, Discord servers and hacked legitimate websites.
After gaining privileged access to their targets, cybercriminals employed remote access tools, for example AnyDesk, to take control of specific computers or link up to the information system with a virtual private network. Next, they concentrated on accounts with considerable amounts of money. The funds were then moved to the accounts of “mules” before being pulled out from ATMs.
According to investigators, over 400 mules were involved in a money withdraw operation that was completed in a single evening. Their assessment suggested that establishing a cyber raid could take around six to twelve months. While the task of enlisting the mules could take between one to three months. Consequently, Group-IB and Cert-Orange analysts concluded that the attack was “extremely sophisticated, organized, coordinated, and planned out over an extended period of time“.
Attacking Western African Banks and Telcos
The criminal gang’s arsenal did not incorporate any 0-day vulnerability. They exploited vulnerabilities that had been discloseda few years in the past. It should have been long enough to patch them and install safety fixes. Such patch management and risk based vulnerability management would have made the criminal’s job way more difficult.
Opera1er Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments. Businesses located in Western Africa have suffered the majority of cyberattacks. Such as financial institutions and telecoms companies, with the exception of a few occurrences in Argentina, Paraguay, Bangladesh, and Uganda.
In 2020, a cybersecurity company from Dubai, Rewterz, revealed Indicators of Compromise (IoC) related to a group called “Common Raven“. A year later, SWIFT, a messaging system employed by banks for global payments, issued an announcement regarding the actions of this group.
In August 2022, a Group-IB analyst pinpointed a recently established Cobalt Strike server, a tool which OPERA1ER often uses. This discovery drove the researchers to detect five more attacks in four countries. They happened after the initial research had been finished. Subsequent to the August discovery, the researchers were able to obtain an updated list of domains. Those fresh elements bound to the group, and the evidence of earlier OPERA1ER tools.
Cyber Threat in Africa
The African continent is full of possibilities when it comes to information and communication technologies due to the large number of young people that make up its population. In 2020, 60% of Africans were under 25 years old, which is creating a surge in the use of new technologies. Whenever an economic dilemma is encountered, creative solutions are often proposed to deal with the situation.
Unfortunately, some of the answers may not be within the boundaries of the law. Low access to banking services for African people has led to the invention of new finance services. Such as mobile banking. But it has also caused the emergence of new forms of scam associated with these advanced technologies.
Analysts have forecasted that the digital economy sector in Africa will accumulate an annual revenue of $180 billion by 2025. But inadequate initiatives to tackle cybercrime might impede this expansion. In october 2021, Interpol released a Cyberthreat assessment of Africa while Amnesty International warned about foreign targeted surveillance on population.
The top five cyber threat for Africa are online scam, digital extortion, Business Email Compromise, Botnet and ransomware. But the economical and geopolitical context on the continent make it allows a privileged target for advanced cyberespionage operation.
We must not let cybercrime hinder the social and economic development of the African continent. Establishing from the start good hygiene practice and preventive cyber risk management will help individual and companies to stay secure online.