[BreachExchange] Feds Indict 'Fxmsp' for Hacking Multiple Firms

[Destry Winant]

https://www.databreachtoday.com/feds-indict-fxmsp-for-hacking-multiple-firms-a-14584

The U.S. Justice Department unsealed an indictment Tuesday charging a
Kazakhstan citizen with leading a hacking collective known as "Fxmsp."
The group has been accused of carrying out hundreds of attacks
worldwide over the past several years.

Andrey Turchin, 37, who allegedly also goes by the name "fxmsp," now
faces five federal charges, including two counts of computer fraud and
abuse and one count each of conspiracy to commit computer hacking,
conspiracy to commit wire fraud and access device fraud, according to
the U.S. Attorney's Office for the Western District of Washington,
which is overseeing the case. The most serious charge - conspiracy to
commit wire fraud - carries a sentence of up to 20 years in federal
prison.

The Fxmsp group is suspected of hacking more than 300 corporate
entities, educational institutions and government agencies in over 40
countries, including over 30 organizations in the U.S., according to
the 2018 federal indictment.

The unsealing of the federal indictment comes after Singapore-based
security firm Group-IB published a lengthy report last month about the
Fxmsp group's activities, including details about at least $1.5
million in illicit profits that hackers collected thanks to a
botnet-based business model via which they sold access to hacked sites
to other criminals (see: Fxmsp Hackers Behind AV Source Code Heist:
Still Operating?).

By cross-referencing email addresses used by Fxmsp across multiple
platforms, including Jabber, Group-IB's report also detailed how the
firm was able to deanonymize Turchin - aka Fxmsp, uwert, vidi, bosslb
- in part via social media posts. The security firm said Turchin
appeared to be residing in Almaty, Kazakhstan.

"As we can see from the Department of Justice's indictment charging
Fxmsp, Group-IB's suggestion that the factual number of victims as
well as earnings made as result of Fxmsp's activities might be even
higher has proved to be right," Group-IB CTO Dmitry Volkov tells
Information Security Media Group.

"As stated in Group-IB's report, at one of the stages of his
cybercriminal career, Fxmsp made sales only through private messages,
therefore, the data provided in the report represented the low-range
estimate, since it only took into account public lots offered by the
cybercriminal."

Turchin is currently not in federal custody. But he has now been
detained by police in Kazakhstan, Bleeping Computer reports.

Fxmsp Hacking Group

The Fxmsp group gained public attention in April 2019, after trying to
sell remote access to three anti-virus vendors' networks as well as 30
TB of stolen data, which they claimed included source code (see: Crime
Gang Advertises Stolen 'Anti-Virus Source Code').

At the time, McAfee confirmed that it had been targeted. So too did
Trend Micro, with a spokeswoman telling ISMG that it was "aware that
unauthorized access had been made to a single testing lab network by a
third party and some low-risk, debugging-related information was
obtained." The third alleged target, Symantec, has not responded to
multiple requests for comment, although has told Bleeping Computer
that its systems were not compromised.

Fxmsp was most active between October 2017 and October 2018, before an
apparent lull in its operations. In April 2019, the group reappeared,
and the following month began offering the stolen anti-virus vendor
data, source code and remote access for sale for $300,000. But the
sale was revealed via a report published by New York-based fraud
prevention and risk management firm Advanced Intelligence - aka
AdvIntel - which it said was designed to drive Fxmsp off of the
cybercrime forums it relied on to advertise its wares (see: Hacking
Timeline: Fxmsp's Rise and Apparent Fall).

"Fxmsp was acting privately - beyond forums - until May 9, 2019, when
we terminated their operations," Yelisey Boguslavskiy, AdvIntel's CEO,
has told ISMG.

Of course, members of the group may since then have been operating
privately and under different names.

Brute-Force Arsenal

Over the years, Fxmsp used brute-force attacks and sent phishing
emails with malicious attachments to employees of targeted
organizations, according to the newly unsealed court documents.

If those methods worked, Fxmsp would infect victims' devices with
malware designed to give the attackers control of the device. The
attackers would then conduct surveillance, exfiltrate data and use
administrative credentials to install other malware such as password
stealers and remote access Trojans within a targeted organization's
network to establish persistence, according to the indictment. The
attackers even modified the anti-virus software settings on the
infected device to evade detection, the indictment says.

Fxmsp used this access to move laterally within the network and infect
other systems and devices on the network with malware. Establishing
persistence was key to the group's main goal, which was to sell access
to the compromised computer networks to other cybercriminals for
financial gain, according to the court documents.

Remote Access for Sale

The hacking collective sold access to infected networks, offering
sellers either a backdoor or working remote desktop protocol
credentials gathered by their malware, security researchers say. The
group also utilized underground forums such as Club2Card, Altenen,
Blackhacker, Omerta, Sniff3r, and L33t to market stolen data and
illicit access to infected systems, according to the Justice
Department.

Members of the group provided buyers with post-sale technical
assistance, using platforms such as Jabber to make their
communications tough to track, as well as relying on bitcoins to
conceal financial transactions, the indictment says. They also used
monikers such as "BigPetya," "Lampeduza," "Nikolay" and "Ares," among
others aliases, to hide their identity, the court documents note.

The price of the remote access to sites being offered by Fxmsp ranged
from thousands to tens of thousands of dollars, even exceeding
$100,000 in some cases, prosecutors say. In other cases involving
financial institutions and other high-value targets, the hacking group
would take a percentage of future profits obtained by the buyer,
according to the indictment.

Turchin and his group allegedly advertised and tried to sell network
access to an Alaska-based distributor of petroleum products, a law
firm in Colorado, a New York-based airline, a New York-based digital
payments firm, the Ministry of Finance of an African country, the
Ministry of Mining of an Asian country, a South Asian media firm, an
African bank and numerous other financial services firms, according to
the indictment.

Turchin also allegedly claimed to have access to over 200 government
and law enforcement networks in the U.K. as well as point-of-sale
terminals at cafes, restaurants and retail stores in over a dozen
countries, according to the indictment.