The vast majority of the world’s cyber crime is directed at English-speaking countries, particularly businesses in the United States. But there are signs that major organized groups are actively probing and staking out lucrative niches in other areas, entering territory that was previously hunted by smaller and less skilled attackers. A detailed report on one such example has recently been published by security outfit Group-IB, outlining the activities of the “OPERA1ER” APT group over the past few years. This group is known for targeted spear phishing emails, but is unique in targeting less economically developed nations in Africa, Asia and Latin America.
APT group focuses on smaller french-speaking economies, dozens of attacks beginning in 2018
Based on the fact that its messages are usually in French and its target selection, the APT group is thought to operate out of Africa. It has been difficult to pin down, however, despite operating since 2018 and racking up over a dozen successful attacks in some of those years.
This APT group is responsible for 35 known attacks over its run, totalling at least a confirmed $11 million in damage. Group-IB believes that the actual amount could be as much as $30 million. The group mostly focuses on African countries, and shows a preference for businesses in the financial services industry, banking and telecommunications. However, it is not afraid to make occasional ventures out of this comfort zone. The group has also victimized companies in Bangladesh, Paraguay and Argentina with spear phishing campaigns.
Another feature of the APT group is that it seems to exclusively use “off the shelf” tools, not developing its own malware or ransomware as the biggest of the criminal gangs do. It is unusual for a group that does not develop its own tools to last this long or be this financially successful, and part of that success is likely due to judicious selection of targets in areas that are not dealing with as many daily attempts as the world’s largest economies are.
One other key to its success is a large network of “money mule” accounts deployed to make withdrawals and funnel the funds to the APT group, a force that is reportedly at least 400 strong. Their spear phishing approach is also described as “high quality” and accurately recreates official government notices and communications from major banks.
The APT group is also sophisticated enough to notice when threat hunters are on their tail. After four strikes in 2021, the group appears to have noticed that Group-IB researchers were tracking them and temporarily buried their operations, changing some TTPs and deleting some accounts to throw off pursuit. After some months of dormancy, the group re-emerged in 2022 to pull of three more of its signature spear phishing attacks throughout Africa.
“Sophisticated” spear phishing targets organizations that may not be used to APT group attention
Though its attacks have been traced back to 2018, Group-IB notes that the APT group registered its first known domain in 2016. The planning appears to be meticulous with a minimum of three months from domain registration to its use being noted in a spear phishing attack, and in some cases the group has gone up to a year before deploying a domain.
This may not be what security teams for organizations in some of these countries are used to seeing among normal threat profiles. The APT group is also paradoxically more complex due to its use of only “off the shelf” malware, in that it has to come up with creative means of deploying it to evade detection.
The spear phishing campaigns indicate that the group also researches key figures in the organizations they target as well as defensive capabilities; Group-IB notes that this indicates the attackers are either bribing insiders or slowly and carefully penetrating networks and doing substantial reconnaissance before sending these targeted phishing emails, as their approaches and getaways indicate they possess non-public knowledge about their victims.
They also seem to know exactly where the most money is when they make entry to target organizations, and exfiltrate it using compromised bank computers that have access to the SWIFT international banking messaging interface. The “money mules” that actually cash out the proceeds at ATMs are recruited months in advance of the attacks. Cashouts are also conducted on holidays and weekends to take advantage of expected response time delays.
Though the group has been pegged to somewhere in Africa, the actual location is still not known after years of spear phishing, nor is its total size. The report says that the group rarely communicates in English or Russian, and when it does it speaks both languages poorly. Group-IB notes that the APT group commonly uses a cracked version of Cobalt Strike beacons along with the BitRAT trojan, and hides its activity using FrootVPN and free dynamic DNS services such as DynDNS.
