A French cybercrime gang is believed to have stolen up to $30m from banks in countries across Africa and South America since it began operating in 2016. The hacking group, Opera1er, has drained accounts from financial institutions in at least 15 countries, new research has revealed.
The research from cybersecurity vendor Group IB reveals the hacking group has made a confirmed $11m since 2019. However, the researchers say in their report that the illicit funds may have topped $30m.
French cybercriminals Opera1or target banks
The main victims are financial services, banks, mobile banking services and telecoms companies. Thirteen countries in Africa suffered attacks on their services, followed by two in South America and one in Bangladesh.
The attacks begin with spear-phishing emails, designed to mine data on their victims. The list of targets is created with precision, aimed at specific teams within the companies, Group IB says.
The strikes themselves do not use sophisticated tools or zero-day vulnerabilities. The hackers instead favour tools in open-source programmes and free remote access trojans (RATs) found on the dark web.
In at least two banks, Opera1or got access to the SWIFT banking system, which is used to make international money transfers. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems,” states the report.
How did Opera1or access the money?
Once the hackers gained access to a system, they mined the credentials of key operators with authority to approve the movement of digital money within that system.
The gang targets accounts that contain large sums of money and use their inflated credentials to move said money into user accounts under their control. The money then gets sent to “mule”, or subscriber accounts that the gang also control, ultimately arriving somewhere where it can be withdrawn in cash from an ATM.
In order to implement this attack quickly, the gang would target the “operator accounts”, belonging to people working in positions of responsibility, specifically. This explains why the spear-phishing email campaigns were so painstakingly targeted, Group IB’s researchers explain. Mail subjects during phishing campaigns are created with knowledge of the jobs of the people they are targeting, including headings like, “notification from government tax office,” or, “hiring offers from the BCEAO”. BCEAO is the central bank of the West African states.
In one case, a network of more than 400 mule subscriber accounts was used to quickly cash out stolen funds via ATMs. The mules for the project were hired up to three months in advance. Some of the mule accounts are opened by the gang and their affiliates, while some appear to have been opened by members of the public but had been dormant for some time and then reactivated by the gang.
Cybercrime and the financial industry
The financial sector is the fifth most likely to be attacked, according to new data on cybercrime released by EU cyber body the European Union Agency for Cybersecurity (ENISA).
During the reporting period, financial institutions were among the top organisations impersonated by phishers, explains the report. Phishing attacks are popular methods of cracking into banking services, followed by ransom denial of service (RDoS) and double and triple extortion tactics.
The Bank of England cited cyberattacks as the biggest risk to the UK financial system as part of research it released last month. Seventy-four per cent of respondents in a survey of banking executives from across the UK deemed that, in both the short and long term, the looming risk of a cyberattack is the most severe risk they faced, followed by inflation, or a geopolitical incident.