OPERA1ER

Description

(Group-IB) Digital forensics artifacts analyzed by Group-IB and Orange following more than 30 successful intrusions of OPERA1ER between 2018 and 2022 helped to trace down affected organizations in Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo, Argentina. Many of the victims identified were successfully attacked twice, and their infrastructure was then used to attack other organizations. According to Group-IB’s evaluation, between 2018 and 2022, OPERA1ER managed to steal at least $11million,andtheactualamountofdamagecouldbeashighas$30 million.

Names

Name	Name-Giver
OPERA1ER	Group-IB
DESKTOP-GROUP	c-APT-ure
Common Raven	SWIFT
NXSMS	Orange-CERT-CC
Bluebottle	Symantec

Country

• Unknown

Motivation

• Financial crime

First Seen

2016

Observed Sectors

• Financial
• Telecommunications

Observed Countries

• Argentina
• Bangladesh
• Benin
• Burkina Faso
• Cameroon
• Cote d’Ivoire
• Gabon
• Mali
• Niger
• Nigeria
• Paraguay
• Senegal
• Sierra Leone
• Togo
• Uganda

Tools

• Agent Tesla
• BitRAT
• BlackNET RAT
• Cobalt Strike
• Metasploit
• NetWire RC
• Neutrino
• Ngrok
• PsExec
• RDPWrap
• RemcosRAT
• Revealer Keylogger
• VenomRAT
• Living off the Land

Operations

• 2022-05: Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

Counter Operations

• 2023-07: Operation “Nervone” Suspected key figure of notorious cybercrime group arrested in joint operation https://www.interpol.int/News-and-Events/News/2023/Suspected-key-figure-of-notorious-cybercrime-group-arrested-in-joint-operation

Information

• https://www.group-ib.com/media-center/press-releases/opera1er/

Other Information

Uuid

a3c4d317-7ad1-4353-9102-ff64b20996d5

Last Card Change

2023-09-05