A suspected senior member of the French-speaking hacking crew known as OPERA1ER has been arrested as part of an international law enforcement operation codenamed Nervone, Interpol announced.
“The group is believed to have stolen an estimated $11 million — potentially as much as 30 million — in more than 30 attacks in 15 countries across Africa, Asia and Latin America,” the agency said. said.
The arrest was made by the authorities in Ivory Coast early last month. Additional insight was provided by the US Secret Service’s Criminal Investigation Division and Booz Allen Hamilton DarkLabs.
This financially motivated collective is also known by the aliases Common Raven, DESKTOP-GROUP, and NX$M$. Its modus operandi was first disclosed by the Group-IB and Orange CERT Coordination Center (Orange-CERT-CC) in November 2022, detailing its disruptions to banks, financial services and telecom companies between March 2018 and October 2022.
🔐 Privileged Access Management: Learn How to Beat Key Challenges
Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.
Earlier this January, Broadcom’s Symantec said it had uncovered a series of targeted attacks against the financial sector in French-speaking countries located in Africa from at least July 2022 to September 2022. The company said the activity, which it tracks as Bluebottle, was cross-level. with OPERA1ER.
The chain of attacks mounted by the group has taken advantage of spear-phishing bait that triggers a chain of events that ultimately leads to the deployment of post-exploit tools such as Cobalt Strike and Metasploit and ready-to-use remote access trojans, which accommodate multiple functions to steal sensitive data.
OPERA1ER has also been observed maintaining access to compromised networks for periods ranging from three to twelve months, sometimes targeting the same company multiple times.
“Most of the messages are written in French, and mimic fake tax office notices or hiring offers,” Group-IB said. “OPERA1ER was able to gain access to the internal payment system used by the affected organization, and use it to withdraw funds.”