| Authorities in Cat-d’Ivoir Detain Key Member of Opera1er Cybercrime Group |
|---|
The authorities in Cat-d’Ivoir, a francular state in West Africa, have detained a hacker suspected to be a key member of the Opera1er cybercrime group. The hacker is believed to have been involved in attacking telecommunication and financial companies using harmful programs, fisching, and compromising business mail. The group, also known as NX $ M $, Desktop Group, and Common Raven, is thought to have stolen between 11 to 30 million dollars over the past four years through over 30 attacks across 15 African, Asian, and Latin American countries.
The suspect was apprehended in early June as a result of a joint operation dubbed Nervone. The operation involved the African police, Interpol, Group-IB cybersecurity, and Orange telecommunications operator. Additional information that aided the investigation was provided by the US Secret Service’s Department of Criminal Investigation and Cybersecurity Researchers from Booz Allen Hamilton Darklabs.
“According to Interpol’s report on cybersecurity threats in Africa for 2022, cybercrime is an escalating menace in the West African region, with the victims of these crimes located worldwide. The Nervone operation highlights Interpol’s commitment to actively combat cybercrime threats in this region,” stated an official statement by Interpol.
Members of Opera1er primarily speak French and are predominantly based in Africa. They employ a diverse range of tools in their attacks, including publicly available harmful programs and frameworks such as Metasploit and Cobalt Strike.
Opera1er hackers typically acquire initial access to target networks through specialized phishing emails that exploit popular topics like account information or mail delivery notifications. Once gaining access, the attackers deploy a variety of first-stage malware, including Netwire, Bitrat, Venomrat, Agenttesla, Remcos, Neutrino, Blacknet, and Venom Rat, as well as interceptors and password stealers.
Researchers discovered that Opera1er hackers commonly maintain access to compromised networks for three to twelve months, occasionally targeting the same company multiple times.
Symantec researchers also identified a connection between Opera1er and a cybercriminal group known as Bluebottle. Bluebottle utilizes signed Windows drivers in attacks against at least three banks in French-speaking African countries.
“Investigating a sophisticated cybercrime group like Opera1er, which has stolen millions from financial sector companies and telecommunication providers worldwide, necessitates highly coordinated efforts between state authorities and the private sector,” stated Volk