An APT group based in Africa has found long-term success in its own way, by fishing waters that the bigger ransomware gangs and data thieves don’t generally focus on. The group deploys sophisticated spear phishing emails mostly tailored to French-speaking targets throughout Africa, but has also made some forays into Asia and Latin America.
Group-IB has been studying this APT group for years now and has published a detailed report on their activities. “OPERA1ER” has been in action since 2018 and usually notches anywhere from either a few to a dozen successful attacks each year. The group has been confirmed to have caused at least $11 million in damage, but Group-IB believes the actual amount could be up to triple that total.
Advanced spear phishing emails show careful research, potential “dwell time” on victim networks
The APT group’s first known activity was in 2016, when it registered its initial domain used for spear phishing, but the first confirmed attack came in 2018. The group will always wait at least a few months from registering a new domain before it is deployed in an attack, and it has sat on these domains for as long as a year at times.
In addition to being patient with its domain names, there is evidence that the group does a lot of research before it sends its spear phishing emails. The emails are tailored to particular individuals in the organization with personalized elements, and Group-IB believes that the hackers are either breaching or bribing their way into the network in advance as the communications sometimes contain information that could not be looked up via public resources. Once it compromises employee accounts, it also seems to know exactly where all the money is stored and makes a beeline for it.
The complexity is all in the APT group’s spear phishing approach; the malware it uses is entirely “off the rack” with no custom tools or elements. It deploys it in creative ways to hide from automated defenses, however, such as bundling it with an antivirus update in one case.
It also has a large “real world” network of some 400 money mules that cash out the stolen proceeds at ATMs, generally on weekends and holidays when banks are less vigilant. It has managed to evade detection thus far, with Group-IB’s only concrete information on it that it is somewhere in Africa. The group speaks poor English and Russian on occasion, but definitely seems most comfortable doing its dealings in French.
Longevous APT group stays in business by attacking smaller targets, going dormant for long periods
The APT group seems to prefer attacking developing economies, but it goes for relatively lucrative targets within them: financial services, banking and telecommunications companies. It’s looking for cash on hand that it can turn into real world funds as quickly as possible. While the vast majority of its strikes have been in Africa, it has also popped up in Asia (Bangladesh) and Latin America (Argentina and Paraguay) and been successful with spear phishing approaches there.
Another piece of the group’s success has been knowing when to go to ground, and staying inactive for extended periods of time. It noticed that Group-IB was on its tail in 2021, and took some obfuscation measures along with a months-long period of dormancy in an attempt to evade further investigation (but has since re-emerged in Africa with more successful spear phishing attacks).