Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

Feds Indict 'Fxmsp' for Hacking Multiple Firms

Andrey Turchin is the Alleged Leader of the 'Fxmsp' Collective, Prosecutors Say
Feds Indict 'Fxmsp' for Hacking Multiple Firms
Andrey Turchin was also named as being "Fxmsp" in a report on the group issued in June by cybersecurity firm Group-IB

The U.S. Justice Department unsealed an indictment Tuesday charging a Kazakhstan citizen with leading a hacking collective known as "Fxmsp." The group has been accused of carrying out hundreds of attacks worldwide over the past several years.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Andrey Turchin, 37, who allegedly also goes by the name "fxmsp," now faces five federal charges, including two counts of computer fraud and abuse and one count each of conspiracy to commit computer hacking, conspiracy to commit wire fraud and access device fraud, according to the U.S. Attorney’s Office for the Western District of Washington, which is overseeing the case. The most serious charge - conspiracy to commit wire fraud - carries a sentence of up to 20 years in federal prison.

The Fxmsp group is suspected of hacking more than 300 corporate entities, educational institutions and government agencies in over 40 countries, including over 30 organizations in the U.S., according to the 2018 federal indictment.

The unsealing of the federal indictment comes after Singapore-based security firm Group-IB published a lengthy report last month about the Fxmsp group's activities, including details about at least $1.5 million in illicit profits that hackers collected thanks to a botnet-based business model via which they sold access to hacked sites to other criminals (see: Fxmsp Hackers Behind AV Source Code Heist: Still Operating?).

By cross-referencing email addresses used by Fxmsp across multiple platforms, including Jabber, Group-IB's report also detailed how the firm was able to deanonymize Turchin - aka Fxmsp, uwert, vidi, bosslb - in part via social media posts. The security firm said Turchin appeared to be residing in Almaty, Kazakhstan.

"As we can see from the Department of Justice’s indictment charging Fxmsp, Group-IB’s suggestion that the factual number of victims as well as earnings made as result of Fxmsp’s activities might be even higher has proved to be right," Group-IB CTO Dmitry Volkov tells Information Security Media Group.

"As stated in Group-IB’s report, at one of the stages of his cybercriminal career, Fxmsp made sales only through private messages, therefore, the data provided in the report represented the low-range estimate, since it only took into account public lots offered by the cybercriminal."

Turchin is currently not in federal custody. But he has now been detained by police in Kazakhstan, Bleeping Computer reports.

Fxmsp Hacking Group

The Fxmsp group gained public attention in April 2019, after trying to sell remote access to three anti-virus vendors' networks as well as 30 TB of stolen data, which they claimed included source code (see: Crime Gang Advertises Stolen 'Anti-Virus Source Code').

At the time, McAfee confirmed that it had been targeted. So too did Trend Micro, with a spokeswoman telling ISMG that it was "aware that unauthorized access had been made to a single testing lab network by a third party and some low-risk, debugging-related information was obtained." The third alleged target, Symantec, has not responded to multiple requests for comment, although has told Bleeping Computer that its systems were not compromised.

Fxmsp was most active between October 2017 and October 2018, before an apparent lull in its operations. In April 2019, the group reappeared, and the following month began offering the stolen anti-virus vendor data, source code and remote access for sale for $300,000. But the sale was revealed via a report published by New York-based fraud prevention and risk management firm Advanced Intelligence - aka AdvIntel - which it said was designed to drive Fxmsp off of the cybercrime forums it relied on to advertise its wares (see: Hacking Timeline: Fxmsp's Rise and Apparent Fall).

"Fxmsp was acting privately - beyond forums - until May 9, 2019, when we terminated their operations," Yelisey Boguslavskiy, AdvIntel's CEO, has told ISMG.

Of course, members of the group may since then have been operating privately and under different names.

Brute-Force Arsenal

Over the years, Fxmsp used brute-force attacks and sent phishing emails with malicious attachments to employees of targeted organizations, according to the newly unsealed court documents.

If those methods worked, Fxmsp would infect victims' devices with malware designed to give the attackers control of the device. The attackers would then conduct surveillance, exfiltrate data and use administrative credentials to install other malware such as password stealers and remote access Trojans within a targeted organization's network to establish persistence, according to the indictment. The attackers even modified the anti-virus software settings on the infected device to evade detection, the indictment says.

Fxmsp used this access to move laterally within the network and infect other systems and devices on the network with malware. Establishing persistence was key to the group’s main goal, which was to sell access to the compromised computer networks to other cybercriminals for financial gain, according to the court documents.

Remote Access for Sale

The hacking collective sold access to infected networks, offering sellers either a backdoor or working remote desktop protocol credentials gathered by their malware, security researchers say. The group also utilized underground forums such as Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t to market stolen data and illicit access to infected systems, according to the Justice Department.

Members of the group provided buyers with post-sale technical assistance, using platforms such as Jabber to make their communications tough to track, as well as relying on bitcoins to conceal financial transactions, the indictment says. They also used monikers such as "BigPetya," "Lampeduza," "Nikolay" and "Ares," among others aliases, to hide their identity, the court documents note.

The price of the remote access to sites being offered by Fxmsp ranged from thousands to tens of thousands of dollars, even exceeding $100,000 in some cases, prosecutors say. In other cases involving financial institutions and other high-value targets, the hacking group would take a percentage of future profits obtained by the buyer, according to the indictment.

Turchin and his group allegedly advertised and tried to sell network access to an Alaska-based distributor of petroleum products, a law firm in Colorado, a New York-based airline, a New York-based digital payments firm, the Ministry of Finance of an African country, the Ministry of Mining of an Asian country, a South Asian media firm, an African bank and numerous other financial services firms, according to the indictment.

Turchin also allegedly claimed to have access to over 200 government and law enforcement networks in the U.K. as well as point-of-sale terminals at cafes, restaurants and retail stores in over a dozen countries, according to the indictment.

Executive Editor Mathew Schwartz contributed to this story.

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.