Global fight against cybercrime: OPERA1ER tower fell
French criminal organization loses its leader: Interpol announces high-profile arrest in international operation coded "Nervon"
French-speaking hacker group OPERA1ER's senior member has been detained in an international operation, Nervone, initiated by Interpol. Suspected to have committed over 30 attacks across 15 countries, the group pilfered approximately $11-30 million. The operation tracked their signature spear-phishing techniques, which involved fake notifications and job offers, to gain access to internal payment systems of the victim organizations.
Interpol has announced the arrest of an alleged senior member of a French-speaking hacker group known as OPERA1ER. This action is part of a wider international law enforcement operation, called Nervone. The group is estimated to have embezzled an estimated $11 million - but could be as high as $30 million - through more than 30 attacks in 15 countries across Africa, Asia and Latin America.
The arrest in the Ivory Coast and sources of information
The arrest was made by authorities in Côte d'Ivoire early last month. Further details were provided by the Criminal Investigation Division of the US Secret Service and Booz Allen Hamilton DarkLabs. Also known as Common Raven, DESKTOP-GROUP, and NX$M$, this money-making criminal organization was initially exposed by Group-IB and the Orange CERT Coordination Center (Orange-CERT-CC) in November 2022.
The modus operandi of OPERA1ER
Between March 2018 and October 2022, OPERA1ER carried out numerous intrusions into banks, financial services and telecommunications companies. In January, Broadcom's Symantec disclosed a set of attacks targeting the financial sector in French-speaking countries in Africa between July and September 2022. The firm has seen a degree of overlap between the businesses it tracks such as Bluebottle and OPERA1ER. The group's attack chains made extensive use of spear-phishing, which kicked off a series of events culminating in the deployment of post-exploitation tools such as Cobalt Strike and Metasploit, and commercial remote access trojans. These tools offer several features to steal sensitive data.
Continuous access and deception techniques
OPERA1ER has been shown to maintain access to compromised networks for anywhere from three to twelve months, sometimes attacking the same company multiple times. Group-IB reported that most of the messages sent by the group were written in French, and simulated fake tax notifications or job offers. Thanks to this deception, OPERA1ER managed to gain access to the internal payment systems used by the affected organizations, using this information to withdraw funds.
Follow us on Telegram for more pills like this07/06/2023 13:38
Marco Verro