Feds Unseal 2018 Indictment Charging Kazakh Man in Hacks

07 July 2020

Feds Unseal 2018 Indictment Charging Kazakh Man in Hacks

Two weeks after a cyber-security firm from Kazakhstan, federal authorities in Seattle on Tuesday unsealed a 2018 indictment charging the man with an array of computer crimes.

Over a period of two years, a threat actor sold access to the compromised networks of 135 organizations in 44 countries and likely made over $1.5 million, Group-IB says.

Using the online moniker Fxmsp, the individual started selling access to company networks on October 1, 2017, and seized all activity in September 2019, several months after he came to fame for the hacking of three antivirus companies in the United States.

In May last year, Fxmsp was asking $300,000 for data exfiltrated from said organizations (likely McAfee, Symantec, and Trend Micro), including fragments of the antivirus software source code, analytical modules, design documents, and the like.

Between October 2017 and July 2018, Fxmsp sold access to compromised networks personally, but then found an accomplice who became his sales manager. The activity completely stopped in September 2019, after the hackers racked over $1.5 million in proceeds from their illegal activities (excluding sales made through private messages and access sold without naming a price).

To compromise networks, the threat actor performed attacks en masse, targeting all kinds of industries, ranging from small websites of schools to large banks and hotel chains. Between October 2017 and September 2019, the hacker advertised access to the networks of 135 companies.

In a report published this week, Group-IB reveals that the sectors hit the most were light industry, information technology, retail, government, education, hospitality, oil and energy, and financial services. A dozen other industries were hit as well. The hacker would target the Remote Desktop Protocol (RDP) for persistent access to the victim environments.

Group-IB’s security researchers believe that Fxmsp had already compromised enterprise networks by September 2016, when he first registered on an underground forum. Likely not knowing how to monetize the compromised resources, he was using the networks to mine for crypto-currency.

Based on the hacker’s activity on underground forum fuckav[.]ru, Group-IB determined that, in addition to crypto-miners, he likely engaged in the use of the Atmos Trojan, the Metasploit PRO pentest software, and brute force attack tools.

In July 2017, he registered an account on exploit[.]in, where he focused on selling access to the compromised networks. By January 2018, he already had 18 buyers. By the end of July 2018, he was offering access to 51 companies in 21 countries.

“The cybercriminal shared the price in only 30% of cases. By that time, after 9 months of activity, the minimum average price for all visible accesses that he advertised was $268,000 (without including the sales he made through private messages),” Group-IB notes.

In July 2018, Fxmsp ceased all activity on forums, having appointed a user named Lampeduza (also known as Antony Moricone, BigPetya, Fivelife, Nikolay, tor.ter, andropov, and Gromyko on other forums) as his sales manager.

Between August and November 2018, Lampeduza shared posts advertising access to the networks of 62 new companies, with a total price for all of the access at $1,100,800. The two were banned from the forum in October, after trying to sell access to the same network to multiple cybercriminals.

The duo focused on private sales to a small circle of trusted clients, but resumed activity on other forums in March 2019. Over the course of 2019, they advertised access to corporate networks belonging to only 22 companies, with a total price of $124,100.

An investigation into the Jabber nicknames and email addresses used by Fxmsp has lead the security researchers to the conclusion that the individual behind the moniker is Andrey A. Turchin from Almaty, Kazakhstan.

“At the time of writing, Fxmsp is no longer conducting public activities. It is uncertain, however, whether he is still breaking into company networks and selling access to them. Given the risk, we deem it essential to offer universal recommendations on how to prevent attacks that bear similarities to those conducted by Fxmsp,” the researchers conclude.