Parlez-vous Français ?

10872425495?profile=RESIZE_400xAccording to a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years.  The threat actor has been named Opera1er. Some of its activities were previously investigated by others, who have named it Common Raven, Desktop-Group, and NXSMS.

The cyber threat investigators are aware of 30 successful attacks between 2019 and 2021. In many cases, the same victim was attacked multiple times.  Most of the attacks targeted African banks.  Recent attacks in 2021 and 2021 have singled out five banks in Burkina Faso, Benin, Ivory Coast, and Senegal.  Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations.  The list of victims also includes financial services, mobile banking services, and telecom firms. Victims were spotted across 15 countries in Africa, Latin America, and Asia.[1]

Researchers have confirmed the theft of $11 million from victims since 2019, but they believe the cybercriminals could have made more than $30 million.  Opera1er attacks typically start with a spear-phishing email sent to a limited number of people within the targeted organization.  The goal is to obtain access to domain controllers and banking back-office systems.  After gaining access to an organization’s systems, the hackers waited for 3-12 months before stealing funds.  In the final phase of the operation, the cybercriminals used the banking infrastructure to transfer money from the bank’s customers to mule accounts, from where they would be withdrawn at ATMs by money mules, typically over weekends and public holidays.

Opera1er got access to the SWIFT messaging interface in at least two banks.  In one incident, the hackers obtained access to an SMS server that could bypass anti-fraud or cash out money via payment or mobile banking systems.  In another incident, Opera1er used an antivirus update server deployed in the infrastructure as a pivoting point.

Opera1er does not appear to rely on any zero-day vulnerabilities or custom malware.  They have been leveraging old software flaws and widely available malware and tools.  The group's "entire arsenal is based on open-source programs and trojans, or free published RATs that can be found on the dark web."  This includes off-the-shelf malware such as Nanocore, Netwire, Agent Teslam Venom RAT, BitRAT, Metasploit, Cobalt Strike Beacon, and others.

Analysts found that most of the attackers’ emails were written in French, and researchers determined that their English and Russian are “quite poor.”  Based on the oldest domain registered by the group, Opera1er has been active since at least 2016.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.    For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or      


Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings  



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!