According to INTERPOL and Group-IB, a leading suspect associated with the OPERA1ER hacking group has been detained in Abidjan, Côte d’Ivoire.
OPERA1ER: Playing God without Permission is one of the most notorious groups that had reportedly stolen $11 million in 15 countries all over Asia, Africa, and Latin America.
Various cybercrime investigation teams have been part of this operation that, includes INTERPOL, AFRIPOL, Group-IB, and others. Group-IB has tracked OPERA1ER since its first operation in 2018.
With additional information from the United States Secret Service about one of the key members of OPERA1ER, Operation Nervone was successful in its first authoritative action that led to the arrest of one of the members.
OPERA1ER – TTPs
OPERA1ER group also known by other names like NX$M$, DESKTOP group, or Maven Group that have been involved in several cybercriminal activities like financial institutions and mobile banking services with malware, Business Email Compromise (BEC), and spear-phishing campaign.
Their initial level of compromise involves high-quality spear-phishing campaign emails with RATs (Remote Access Trojans). Only specific teams are targeted in an organization.
Most of the emails seem to be in French Language and have the context about Tax office notifications or hiring offers.
The group is discovered to be using open-source red teaming tools like Metasploit and Cobalt Strike and freely available malware on the dark web. As per reports, the group takes up to a year to study an organization’s internal infrastructure.
Attacks and Impact
Between 2018-2022, the group is discovered to have conducted more than 30 successful attacks stealing over $11 million and potentially impacting a loss of over $30 million.
The group was also found to use 3-year-old vulnerabilities to infiltrate systems. Group-IB has published a complete report about OPERA1ER’s activities.
Image: “Operation Nervone is a testament to what we can achieve through international collaboration and intelligence sharing. This successful operation marks a significant step in our ongoing mission to dismantle organized cybercrime networks, showcasing the power of collective action in stemming the tide against cybercrime.”, said Bernardo Pillot, INTERPOL Assistant Director of Cybercrime Operations.
Though most of the victims were financial institutions in Africa, it is recommended for organizations take a step to review their internal security and take precautionary measures to avoid being a target of cybercriminals.