A senior member of the cybercrime gang, known as OPERA1ER was apprehended by police after years of investigation. The hunt began over the last five years after a series of monetary-driven incidents occurred under the codename OPERA1ER, which prompted a worldwide leader of cybersecurity, Group-IB, to contribute to the launch of a massive operation to disrupt their plans. The arrest was made in early June, but no identification of the culprit was shared publicly.
Headquartered in Singapore, Group-IB supported Operation Nervone, headed by INTERPOL, a global organization enabling political neutrality while providing engagements between various governments. Speaking with the agency, OPERA1ER is believed to have looted about 11 million in terms of USD, likely as much as 30 million. They attacked more than 15 nations in Asia, Africa, and Latin America and struck on about 30 occasions.
What Is OPERA1ER?
This group is notorious for its tactics and comes in various guises of names such as NXSMS, Common Raven, and even DESKTOP Group. They employ methods that include malware, projects for BECs or business email compromise, phishing approaches, etc. Financial firms such as banks and utilities for online banking were targeted for the group to obtain their goals.
Their activities were initially discovered in the year 2018 by Group-IB when their phishing attacks were detected and found to be linked to cryptoviral extortions, including remote access tools. Their manner of working helped Group-IB as well as Orange CERT Coordination Center after details of their attacks on telecom services, financial institutions, and banks during a long-awaited period between March 2018 - October 2022.
In January 2023, an African financial institution detected a series of suspicious attacks which seemed to be targeting French-speaking countries between July 2022 and September 2022. The company has stated that the invasion, which is codenamed to them as Bluebottle, comprises a particular cross with the cyberattack crew, OPERA1ER. Shortly after, the arrest was made, making the hacking operation come to an abrupt conclusion.
How Was OPERA1ER Caught?
Before this triumph, attacks were piling up, with insufficient leverage and evidence to bring justice to the group. Each phishing attack compiled into a domino effect of the sequence of post-exploitation techniques such as the Cobalt Strike & Metasploit. Along with off-the-shelf trojan malware, OPERA1ER was able to identify the sources and harbor benefits that allowed them to exploit vulnerabilities and steal delicate and essential information.
The crew was carefully watched by INTERPOL and its team, all while maintaining a safe distance to approach the cyber criminals with attention. Through their observations, previously compromised systems were maintained for a timespan of 3-12 months, and it was clear that OPERA1ER underestimated officials and revisited the same networks multiple times. During these periods, the Group’s Francophone identity was revealed due to the language used in their operations.
"A majority of the messages were interpreted as French language with an addition to impersonated fake tax office alerts or engagement offers," officials from Group-IB stated. "OPERA1ER had the ability to gain an entrance to internal payment systems used by the affected organizations and manipulated this to extract funds.”
The cybercrime team under INTERPOL, with the help of Group-IB and its organisation’s stakeholder, Orange, dug into their function and traded data that would later on help with the investigation of OPERA1ER’s work and an ultimate unearthing of their locale. The hacking group, which was discovered to converse in French, and their plans came to a halt when a well-established member of the crew met with handcuffs in Côte d'Ivoire.
INTERPOL’s Operation Nervone, their global operation, which was assisted by law authorities, was the key to the arrest made in the Abidjan city of Côte d'Ivoire. Although the apprehended was not named, the plan was a success, and it saved millions of dollars for many potential victims of the crew.
Bernardo Pillot, the AD of the cybercrime functions at INTERPOL, stated, “Operation Nervone is a testament to what we can achieve through international collaboration and intelligence sharing. This successful operation marks a significant step in our ongoing mission to dismantle organized cybercrime networks, showcasing the power of collective action in stemming the tide against cybercrime.”
Cybercrime — A Threat to Economy
Cybercrime is a growing menace in today’s society due to the development of technology and its accessibility. If cyber criminals reside in one region, victims can be found worldwide and do not confine the attacks to the areas around the epicenter. In a report of INTERPOL’s Cyberthreat Assessment on Africa, the West African region is a risk that’s snowballing on to the cybercrime platform. The recent triumph of Operation Nervone marks the methodological breakthrough of authorities to crack these cases.
Even though a large percentage of cybercrimes are not reported, INTERPOL and its supporters are willing to stay committed and proactive to ensure the protection of people and organizations against cyberattacks. Operation Nervone, a plan brought to succession, was promoted by the Joint Operation in the continent of Africa against computer crimes along with the Support Programme by INTERPOL with relevance to AFRIPOL. It was sponsored by Germany’s Federal Foreign Office UK’s Foreign, Commonwealth, and Development.