A cybercrime group believed responsible for a series of thefts targeting African banks continued its attacks on financial institutions on the continent well into 2022, according new research from Symantec.
In a report released Thursday, researchers at Symantec reported that the group, which it tracks as “Bluebottle,” carried out attacks on African banks as late as September of last year, offering new insights into the group’s tactics and tools and confirming that the group remains a threat to financial institutions there.
Researchers with Group-IB, a cybersecurity firm based in Singapore, reported in November that a French-speaking cybercrime crew it called “OPERA1ER” had pulled off a series of heists targeting banks around the world, netting as much as $30 million over a four-year period.
“Bluebottle” and “OPERA1ER” appear to be the same group, but the group’s tactics make it hard to decisively state that the activity observed by the two companies are the same actor. Both Symantec and Group-IB reported that the group uses off-the-shelf tools seen used in many ransomware campaigns and other cybercrime operations, making it difficult to definitively attribute the attacks.
Thursday’s report from Symantec, a division of Broadcom Software, is based on data associated with attacks on banks in three African countries between July and September 2022. Three different financial institutions across the three countries were compromised, the researchers said.
The short term goal of the attacks appears to be, in part, persistence in a victim’s network and credential theft.
“Indications are that this activity was likely ‘hands-on-keyboard’ activity rather than automated,” the Symantec researchers concluded. “While we do not see what further activity is carried out by the attackers, the victims and the crossover with the activity documented by Group-IB all indicate that this activity is likely financially motivated.”
It’s not clear whether Bluebottle successfully monetized the attacks, the Symantec researchers noted. The earlier attacks documented by Group-IB appear to have netted the criminal group at least $11 million, but the total amount stolen could be as much as $30 million. Active since at least 2016, the group has in the past relied on ATM withdrawals to cash out on their heists.
Ultimately, the people behind these operations have demonstrated remarkable success over the years, the researchers said. “The effectiveness of its campaigns means that Bluebottle is unlikely to stop this activity,” they added.
Thursday’s report documents a slight potential evolution in the group’s tactics. Symantec researchers observed Bluebottle using ISO files as an initial infection vector — something that does not appear to have been present in the attacks studied by Group-IB.
“If the Bluebottle and OPERA1ER actors are indeed one and the same, this would mean that they swapped out their infection techniques between May and July 2022,” the Symantec researchers said.