On Nov. 3, 2022, Group-IB, a leading cybersecurity figure, released a report on the activities of a unique hacking group codenamed OPERA1ER. According to the report, OPERA1ER, relying exclusively on long-disclosed vulnerabilities and “off-the-shelf” tools, has stolen at least $11 million from mainly financial and telecommunication companies in Latin America, Africa, and Asia over the past five years.
OPERA1ER’s uniqueness lies in the simplicity of its tactics. The group used malware that was easily available on the dark web. They exploited old and well-known vulnerabilities, exhibited a good stretch of patience, and maintained a large network of money mules who helped them withdraw their funds as cash from ATMs.
AN UNDERDEVELOPED CYBERSECURITY ECOSYSTEM
But if OPERA1ER’s success is a result of the group’s smoothness, it is also a clear indication of the lack of cybersecurity capacity in the affected companies. Following a barrage of ongoing cyberattacks in the Global North, there’s been an uptick in cybersecurity measures, spending, and policies in Western countries. But most developing states are still lagging behind, and threat actors are fast realizing this.
Nine out of the world’s 10 most low-risk countries on the SEON cyber threat index are in Europe and the United States, while all 10 countries at the most risk are either African, Asian, or Latin American.
In the Global North, a threat group relying on the same tactics as OPERA1ER — in the same order — would be a joke, but in developing countries, they’re a goldmine. “We’ve seen that in their attacks on even big companies OPERA1ER relies on the exploitation of very old vulnerabilities discovered years ago,” said Rustam Mirkasymov, head of Cyber Threat Research at Group-IB, Europe. “It may indicate that local victims’ cybersecurity maturity level is sometimes lagging behind the average.”
In the Global North, a threat group relying on the same tactics as OPERA1ER — in the same order — would be a joke, but in developing countries, they’re a goldmine.
As the global cybersecurity market grows more secure and saturated, threat actors will be forced to target less secured places — such as Africa where there’s a growing use of technology and digital payment solutions — even though it means a relatively lower payout. In developing countries, threat actors might not be stealing at the same scale as in wealthier countries, but carrying out attacks in these places also take significantly lower effort and skill. OPERA1ER has carried out at least 30 successful attacks between 2019 and 2021 across 15 different countries, and researchers at Group-IB estimate their total loot is around $30 million. In comparison, between 2013 to 2015, a hacker gang, using the Carbanak malware and targeting mainly entities in the Global North, stole an estimated $1 billion across 30 different countries.
According to the Digital Quality of Life cybersecurity index by Surfshark, the African continent ranks 42% lower than the global average, and 64% then the European average, which has the highest rank in digital quality of life. Twelve of the 15 countries attacked by OPERA1ER were African.
THE RISE OF A (SERIOUS) TECHNICAL HACKER IN AFRICA
Until this report, African threat actors have made a reputation for themselves mainly through thorough social engineering and emotional manipulation. The term “African cybercriminals” have often either meant the Nigerian yahoo boys or a network of cybercrime gangs with members in South Africa and many West African countries. All these groups are famed for the social engineering skills that allow them to carry out romance scams, advance-fee fraud, and business email compromise scams.
In contrast, while OPERA1ER has exhibited the soft skills — such as patience and tenacity — of social engineers, they’ve relied mainly on malware and actual technical hacking. Until OPERA1ER, researchers have seen African groups try to use malware but with little to no success. The breakthrough of OPERA1ER will possibly lead to an increase in African cybercriminals incorporating more technical tools in their attacks. Instead of a full pivot to hacking, it’s more likely that there would be an amalgamation of hacking and social engineering, says Ronnie Tokazowski, a cybersecurity researcher who focuses on African groups. “It’s my nightmare,” said Tokazowski, “the cybersecurity world isn’t ready for the merge of African social engineering and the use of malware.”
OPERA1ER was recorded speaking Russian, albeit poorly, which may or may not point toward a relationship with Russian actors known for their brute technical hacking capacity. A merger presents a threat to the whole world of cybersecurity and commerce.
CURBING OPERA1ER POSES A DIFFERENT CHALLENGE
Most African countries lack strong and active cybersecurity policies or measures. In a study by researchers at the Africa Center for Strategic Studies, only 7 out of 17 African countries analyzed had done a cyber threat assessment although all 17 have a plan of action, which points to a disconnect between the threats and solutions being proffered. Out of the 17, only 7 had allocated resources to commence their national cybersecurity measures. In Nigeria, cybersecurity faces problems such as talent retention, poor policy enforcement, and little to zero disclosure.
Also, the blurry line between cybercrime and common crime has always been a problem. In Nigeria and many African countries, cybercrime is ingrained and appropriated into the street hustle culture, not dissimilar to how drug sales and trafficking are ingrained in the west. “OPERA1ER’s ability to mobilize a crew of 400 money mules indicates strong relationships between this hacking group and common crime,” said Mirkasymov.
The sheer number of youths participating in cybercrime is one of the strongest indicators of this problem. “The number of cybercriminals is this high,” Tokazowski said, lifting his left hand to the same level as his eyes, “and the number of law enforcement and researchers fighting them is this small,” he continued, this time signifying a space between the thumb and index finger of his right hand. In Nigeria, cybercrime has grown along with increased economic difficulty during the pandemic.
OPERA1ER highlights a lot of issues in the African cybersecurity space, and at the same time, the growing economic activity in the continent. “In general, the African cybersecurity field is quite young and organizations are not yet familiar with and fully prepared to face financially-motivated persistent threats. At the same time, Africa’s continued economic development makes the local financial sector a sweet spot for cybercrime,” Mirkasymov said. The continent needs to meet growing techno-financial growth with appropriate cybersecurity.
Olatunji Olaigbe is a Nigerian freelance journalist. He’s a winner of the 2021 IOM West and Central Africa Migration Journalism Awards.
