'DangerousSavanna' Hackers Targeted Financial Institutions in Africa For Two Years

Written by

A persistent cyber–attack campaign has emerged targeting major financial institutions in French–speaking African countries and has been active over the last two years.

The campaign was discovered by Check Point Research (CPR) and dubbed 'DangerousSavanna.' It relied on spear phishing techniques to initiate infection chains.

The threat actors reportedly sent malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal and Togo utilizing diverse file types, including PDF, Word, ZIP and ISO files, to lure victims. 

Further, DangerousSavanna hackers used lookalike domains, impersonating other financial institutions in Africa, such as the Tunisian Foreign Bank and Nedbank.

"Our suspicion is that this is a financially motivated cyber–criminal, but we don't have conclusive evidence yet," explained Sergey Shykevich, threat intelligence group manager at CPR.

"Whoever it is, this threat actor, or group of actors, is highly targeted and persistent in infecting specific victims, and right now, we are aware of at least three major financial corporations that operate in these countries that have been affected."

Further, the cybersecurity expert said Check Point's assessment shows that this actor will continue trying to break into its targeted companies until weaknesses are found, or employees make a mistake.

"Usually, when a hacker targets financial institutions directly, their main goal is to secure access to core banking systems such as payment card issuing systems, SWIFT transfers and ATM control systems," Shykevich added.

More generally, the Check Point executive said cyber–criminals believe that fragile economies in some African countries may be linked to a lack of investment in cybersecurity.

"But the finance and banking sector is actually one of the most impacted industries worldwide, experiencing 1144 weekly cyber–attacks on average," Shykevich explained.

In the advisory detailing some of DangerousSavanna's recent attacks, CPR provided companies with advice on preventing spear phishing attacks. These techniques include keeping systems up to date, implementing multi-factor authentication (MFA), confirming suspicious email activity before interacting, educating employees and regularly testing their cybersecurity knowledge.

The DangerousSavanna advisory comes weeks after cybersecurity company Vade revealed banks worldwide received the majority of phishing attacks during the first half of 2022.

What’s hot on Infosecurity Magazine?