At least 16 African banks, financial services, and telecommunication companies have been identified as victims of the French-speaking threat group OPERA1ER, which has stolen at least $11 million since 2018.
A new report from Group-IB explains it has been tracking OPERA1ER's activities since 2019; however, they waited to publish its findings until the group resurfaced after a 2021 break. Now the gang is back in action, the analysts explain, allowing Group-IB to document their OPERA1ER TTPs from 2019 through 2021, as well as the latest iteration in 2022.
The researchers reported OPERA1ER has successfully breached the targets' systems at least 30 times since 2018. As an example of the group's sophistication and coordination, the report added, one of the of the group's attacks used more than 400 mule accounts to make fraudulent money withdrawals.
The group doesn't use exotic malware, in fact, the researchers said in the report that OPERA1ER's hallmark is easily accessible open source malware and everyday red-team frameworks like Metasploit and Cobalt Strike. OPERA1ER delivers remote access Trojans (RATs) through French-language email phishing lures and takes its time gathering intelligence about its victims before "cashing out," the report added.
"Detailed analysis of the gang’s recent attacks revealed an interesting pattern in their modus operandi: OPERA1ER conducts attacks mainly during the weekends or public holidays," Rustam Mirkasymov, head of cyber-threat research at Group-IB Europe, said in a statement. "It correlates with the fact that they spend from three to 12 months from the initial access to money theft."
Mirkasymov added the gang could be based out of Africa and the total number of OPERA1ER group members is unknown.