A sprawling, multiyear operation nabs a suspected SilverTerrier BEC group ringleader, exposing a massive attack infrastructure and sapping the group of a bit of its strength.

4 Min Read
Concept illustration showing security detection for business email compromise
Source: Fit Ztudio via Shutterstock

Business email compromise (BEC) attacks have caused billions of dollars in losses to businesses globally in recent years — but now international law-enforcement has notched up another victory in the battle against them.

Interpol on Wednesday announced that "Operation Delilah" has resulted in Nigerian police arresting the suspected head of SilverTerrier, aka TMT, which is a massive BEC operation that has been active since at least 2015, impacting thousands of businesses and individuals across four continents. The 37-year-old Nigerian man, who the Interpol did not name, was apprehended at the Murtala Muhammed International Airport in Lagos as he attempted to re-enter the country after fleeing ahead of the police in 2021.

The arrest marks the culmination of a year-long investigative effort that was led by the Interpol's Africa desk and involved law-enforcement agencies from multiple countries. Three security vendors — Palo Alto Networks, Group-IB, and Trend Micro — also supported the effort by providing information on the BEC effort and its operators to the investigating entities. And Interpol also flagged CyberTOOLBELT as providing "ad hoc support" to the investigative effort.

Notching Up Arrests

The latest arrest brings to 15 the total number of individuals who have been arrested in recent years for their alleged involvement in BEC scams out of Nigeria — a hotbed of activity for this type of threat for years. In January, Nigeria's police, acting on information from Interpol, arrested 11 individuals for allegedly defrauding or attempting to defraud some 50,000 organizations worldwide via BEC scams. Six of the individuals were identified as belonging to SilverTerrier. At the time of the January arrests, law enforcement authorities recovered one laptop that contained a staggering 800,000 usernames and passwords that appeared to belong to victim organizations.

thumbnail_Operation_Delilah_suspect_INTERPOL.jpg

That 10-day operation was code-named "Falcon II"; it was preceded by another in November 2020 dubbed "Falcon I," when three alleged SilverTerrier members were arrested for their involvement in BEC scams that compromised 500,000 organizations worldwide.

Pete Renals, principal researcher for Unit 42 at Palo Alto Networks, says researchers from the company have been tracking the Nigerian individual who was arrested recently since at least 2017. He notes that while this person is suspected to be a ringleader, it's hard to say what exactly the individual's role was within SilverTerrier because of the sheer number of people who are part of the group and the amorphous nature of their malicious activities. 

"It is difficult to draw boundaries around subgroups or affix certain roles to actors, as these groups are often time-bound, fluid in organization, and the individual role of a specific actor usually evolves over time," Renals says.

A Massive Operation

That said, Unit 42's research shows that the arrested individual likely owned the infrastructure that served as the command- and-control (C2) for malware such as ISRStealer, a keystroke logging tool; Pony, a password stealer; and the LokiBot information stealer, Renals notes. 

The security vendor says it also identified more than 240 domains that the threat actor had registered under various aliases. Fifty of those domains were used as C2 infrastructure for malware the threat actors used in their BEC campaigns. 

Significantly, the arrested individual provided a street address that belonged to a major US financial institution in NY when registering the domains, Palo Alto Networks said. The same individual also shared social-media connections with at least three of the BEC operators who were previously arrested as part of Operation Falcon II.

The string of arrests since late 2020 has highlighted the growing ability of international law enforcement authorities, cybersecurity vendors, and other stakeholders to work together in tracking down major BEC operators. Even so, BEC remains a major cyberscourge to organizations worldwide. 

According to statistics maintained by the FBI, BEC attacks caused a staggering $43 billion in actual and attempted losses worldwide between June 2016 and last December. In that time frame, there were some 241,200 BEC incidents involving victims in all 50 US states and 177 countries. Approximately 116,400 individuals and organizations in the US reported being targeted by a BEC scam during that period, causing over $14.7 billion in losses.

Renals says the sheer scope of BEC activity has made it challenging to stop. "The BEC threat landscape is extremely active and constantly evolving," he says. "As a threat type, it has grown over the years to become the most prevalent and costly form of malicious cyber activity targeting our organizations."

While Nigeria has been the center of BEC activity in recent years, there have been similar scams originating from other countries as well, he says. "We also see BEC schemes originate from Malaysia and India, and we see facilitation of BEC schemes in most developed nations to include money mules laundering the money from the attacks," Renals says.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights