Financial institutions

‘DangerousSavanna’ Hackers Targeted Financial Institutions in Africa for Two Years

A persistent campaign of cyberattacks has emerged targeting major financial institutions in Francophone African countries and has been active for the past two years.

The campaign was discovered by Check Point Research (CPR) and dubbed “DangerousSavanna”. He relied on spear-phishing techniques to initiate chains of infection.

Threat actors allegedly sent malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal and Togo using various file types including PDF, Word , ZIP and ISO, to lure victims.

Additionally, DangerousSavanna hackers used similar domains, impersonating other financial institutions in Africa, such as the Tunisian Foreign Bank and Nedbank.

“We suspect he is a financially motivated cybercriminal, but we don’t have conclusive evidence yet,” said Sergey Shykevich, head of the CPR’s threat intelligence group.

“Whoever it is, this threat actor, or group of actors, is highly targeted and persistent in infecting specific victims, and at this time we know of at least three major financial companies operating in these countries that were affected.”

Furthermore, the cybersecurity expert said that Check Point’s assessment shows that this actor will keep trying to break into its targeted businesses until weaknesses are found or employees make a mistake.

“Usually, when a hacker directly targets financial institutions, their main objective is to secure access to core banking systems such as payment card issuance systems, SWIFT transfers and ATM control systems. automatic,” Shykevich added.

More generally, the Check Point executive said cybercriminals believe the fragile economies of some African countries may be linked to a lack of investment in cybersecurity.

“But the financial and banking sector is actually one of the most impacted industries in the world, suffering an average of 1,144 weekly cyberattacks,” Shykevich explained.

In the advisory detailing some of DangerousSavanna’s recent attacks, CPR provided companies with guidance on preventing spear phishing attacks. These techniques include updating systems, implementing multi-factor authentication (MFA), confirming suspicious email activity before any interaction, training employees, and regularly testing their cybersecurity knowledge.

The DangerousSavanna advisory comes weeks after cybersecurity firm Vade revealed that banks around the world received the majority of phishing attacks in the first half of 2022.