A suspected senior member of the hacker group OPERA1ER has been arrested in Operation Nervone conducted jointly by multiple international law enforcement agencies, Interpol said in a press note.
“Following extensive cooperation, Interpol, Afripol, Group-IB and Côte d’Ivoire’s Direction de l’Information et des Traces Technologiques (DITT) are announcing the arrest of a suspected senior member of the group, dealing a significant blow to their criminal activities,” Interpol said.
OPERA1ER — also known as NX$M$, DESKTOP Group and Common Raven — has been operational for over four years. It is a highly organised criminal organisation that has targeted financial institutions and mobile banking services with malware, phishing campaigns and large-scale business email compromise (BEC) scams.
“The group is believed to have stolen an estimated [US]$11 million — potentially as much as [US]$30 million — in more than 30 attacks across 15 countries in Africa, Asia and Latin America,” Interpol said.
Operation Nervone was backed by two key Interpol initiatives which were the African Joint Operation against Cybercrime and the Interpol Support Programme for the African Union in relation to Afripol, funded by the United Kingdom’s Foreign, Commonwealth & Development Office and Germany’s Federal Foreign Office, respectively.
“In early June, authorities in Côte d’Ivoire were able to arrest a key suspect linked to attacks against financial institutions across Africa,” Interpol said in its release.
Researchers at Group-IB first identified the group’s illicit email campaigns in 2018, when they recognised spear phishing operations responsible for spreading malware such as remote access tools.
Additional information that helped with the investigation was shared by the Criminal Investigative Division of the United States Secret Service and cyber security researchers from Booz Allen Hamilton DarkLabs.
The hacker group OPERA1ER
OPERA1ER is a French-speaking, financially-motivated hacker group, according to Group-IB. The cyber security firm was able to identify at least 30 attacks carried out by OPERA1ER between 2019 and 2021. The group successfully compromised payment and internet banking systems in all these attacks.
In at least two banks, OPERA1ER was able to access the SWIFT messaging interface, which is used to communicate the details of financial transactions.
The group used spear phishing emails as their initial attack vector. The emails contained links to Google Drive, Discord servers and compromised legitimate websites and malicious servers which belong to the threat actor. Most of the emails were written in French, however researchers also reported emails written in English. “Furthermore, this email targeted only 18 users in the same country all linked to financial services associated with the topic and some VIPs,” Group-IB said in the report.
The group used multiple payloads including NanoCore, H-Worm (Houdini Worm), WSH Rat, Remcos, Adwind, or QNodeJS between 2019 and 2020.
“Once an initial RAT is deployed, operators analyse compromised machines. When a machine of interest is infected, Metasploit Meterpreter or Cobalt Strike Beacon is downloaded and launched,” Group-IB said in the research, adding that the group typically waited for a year after the initial intrusion and the final payload execution.
The group would finally withdraw the stolen money as cash through an extensive network of ATMs over holidays or weekends to avoid detection. There were also links found between OPERA1ER and cybercriminal group Bluebottle that used a signed Windows driver in attacks against at least three banks in French-speaking African countries, according to Symantec.