Suspected leader of OPERA1ER cybercriminal group arrested in Africa

Authorities in Côte d’Ivoire, a French-speaking country in West Africa, have detained a hacker believed to be a longtime key member of the OPERA1ER cybercriminal group that attacked telecommunications and financial companies through malware, phishing and business email compromise.

The group, also known as NX$M$, DESKTOP Group and Common Raven, is suspected of stealing between $11 million and $30 million over the past four years in more than 30 attacks in 15 countries in Africa, Asia and Latin America.

The suspect was arrested in early June in a joint operation called Nervone involving the African Police, Interpol, a cyber security company. GroupIB and telecommunications operator Orange.

Additional information, which also helped in the investigation, was provided by the Criminal Investigation Unit of the US Secret Service and cybersecurity researchers from Booz Allen Hamilton darklabs.

“According to the Interpol Africa Cybersecurity Threat Report 2022, cybercrime is a growing threat in the West Africa region, with victims of these crimes located all over the world. Operation Nervone underscores Interpol’s determination to actively combat the threat of cybercrime in the region. official statement Interpol.

The members of OPERA1ER primarily speak French and are believed to be based in Africa. They use a wide variety of tools in their attacks, including commonly available malware and frameworks such as Metasploit And Cobalt Strike.

OPERA1ER hackers usually gain primary access to targeted networks through specialized phishing emails that exploit popular topics such as invoices or email delivery notifications. And once they gain access, the attackers distribute a wide range of stage one malware, including Netwire, BitRAT, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, and Venom RAT, as well as password interceptors and dumpers.

The researchers found that OPERA1ER hackers typically maintain access to compromised networks for three to twelve months, sometimes attacking the same company multiple times.

Symantec researchers have also uncovered a connection between OPERA1ER and a cybercriminal group they track, codenamed Bluebottle. These attackers used a signed driver Windows in attacks against at least three banks in French-speaking African countries.

“Any attempt to investigate a complex cybercriminal group such as OPERA1ER, which has stolen millions from financial sector companies and telecommunications providers around the world, requires a highly coordinated effort between public authorities and the private sector,” declared Dmitry Volkov, CEO of Group-IB.

“The success of Operation Nervone demonstrates the importance of sharing threat intelligence. Only thanks to our cooperation with Interpol, Orange CERT-CC and partners from the private and public sectors – we were able to get a complete picture of what is happening,” Volkov summed up.