The revelation was made by a Singapore-based cyber security firm, Group-IB and Orange CERT, which is the Information Technology security arm of the French telecommunications company – Orange.
The cyber security firm made the confirmation in its latest report that 12 African countries had lost millions of dollars to a hacking group based in a yet-to-be-identified French-speaking African country.
It is not news that the African cyber security sector is in its infancy stage. Many organizations and government institutions need to be aware of cyber threats and invest in adequate security measures. Regardless of this, many critics and cyber security experts say that this is a wake-up call – and it is one that should be taken seriously.
They say that the amount lost to the hackers is only a minute part of the total damage and threat that countries and organizations in the continent are exposed to. They also advise that government and other stakeholders should be prepared for more sophisticated attacks from the same groups or others who have seen a loophole.
How Did The Hackers Pull It Off?
According to the Group-IB and Orange CERT firm, the hackers pulled off the operation using old-school hacking methods. They relied on everyday off-the-shelf online tools and exploited the weak cyber security gateways on the government and organization financial portals.
The hackers targeted Francophone African countries in an operation that was codenamed OPERA1ER. They launched over 30 successful attacks against banks, financial services providers, and telecommunication companies between 2018 and 2022, stealing $11 million in the process.
Reacting to the attack, the head of cyber threat research at Group-IB’s European Threat Intelligence & Research Center in Amsterdam, Rustam Mirkasymov, told reporters from Quartz Africa that “According to our calculations, the total amount of damage ranges from $30 million to $50 million. However, this could be even more.”
According to the official report, contrary to modern attackers who use sophisticated software and technology such as deep learning to clone fingerprints and steal passwords, OPERA1ER uses off-the-shelf open-source programs, malware freely available on the dark web, and popular red teaming frameworks, such as Metasploit and Cobalt Strike. Red teaming is a cybersecurity technique used to test how an organization would respond to a real cyberattack.
“In at least two incidents in different banks, the attackers deployed Metasploit servers inside compromised infrastructure. Because the gang relies solely on public tools, they have to think outside the box: in one incident, it used an antivirus update server deployed in the infrastructure as a pivoting point,” the report explains.
But it starts its attacks with a very familiar tactic—high-quality spear phishing emails targeting specific employees within an organization with most of its messages written in French, “ranging from fake notifications from government tax offices to hiring offers from the Central Bank of West African States.”
Under the guise of legitimate email document attachment, OPERA1ER distributes Remote Access Trojans, such as Netwire, bitrat, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, Venom RAT, as well as password sniffers and dumpers, the report says.
Once it gains access, the hacking group uses the information in further targeted phishing but takes time to study internal documentation to better prepare for the cashing out stage.
Countries That Were Targeted By OPERA1ER
OPERA1ER was not designed to target African countries alone. Rather a list of countries whose cyber securities were identified as weak was targeted – which included 12 African countries.
The affected countries from Africa are Côte d’Ivoire, Mali, Burkina Faso, Benin, Cameroon, Gabon, Niger, Nigeria, Senegal, Sierra Leone, Togo, and Uganda. Those outside Africa are Argentina, Bangladesh, and Paraguay. The report claimed that most of the countries were attacked multiple times, and “their infrastructure was then used to attack other organizations.”
OPERA1ER, which also goes by the names DESKTOP-group and Common Raven, traces its roots back to 2016 when it registered its first domain.
It conducts cyber-attacks over the weekends or during public holidays because, according to Mirkasymov, “it is much more difficult to stop fraudulent transactions or stop an attack on these days. Even if someone detects an attempt to withdraw money, during the weekend it is not easy to stop them and get the money back.”
The report says that OPERA1ER is a seasoned threat actor, and once it noticed it was being traced, it deleted its accounts and changed its trails to cover its activity last year. But it resurfaced this year.
Mirkasymov explains: “It correlates with the fact that they spend from three to 12 months from the initial access to money theft. The exact number of the gang members is unknown.”
African Response To Cyber Security Threats
The African Development Bank granted $2 million to the African Cybersecurity Resource Center (ACRC) for Financial Inclusion last year to tackle cybercrime.
In August, in collaboration with the United Nations Economic Commission for Africa, Togo set up a cybersecurity monitoring center in Lome to serve the entire continent.
Experts say only time will tell whether the funding was put to judicious use.