An infamous hacker dubbed Fxmsp breached the corporate networks of 135 companies in 44 countries between 2016 and 2019 and earned at least $1.5 million by selling access to breached networks.
A recent report from security firm Group-IB has revealed how Fxmsp, a prominent Russian-speaking hacker, breached far more corporate networks than initially assumed, even though he gained infamy last year for breaching the networks of three popular cyber security vendors: Symantec, Trend Micro, and McAfee.
In October last year, security firm Recorded Future provided us the first comprehensive peek into Fxmsp's activities. While Group-IB says Fxmsp is a Russian-speaking male, Recorded Future called the entity "a Russian- and English-speaking cybercriminal collective" that specialised in breaching IT networks and earning a lot of money by selling access to breached corporate networks.
Fxmsp breached at least 135 corporate networks in three years
According to Recorded Future, Fxmsp sold unauthorised access to corporate networks for between a few hundred dollars to over $100,000 and its list of victims included financial, e-commerce, industrial organizations, and governmental institutions in multiple countries.
"Fxmsp Group displays patience and coordination among team members. The actor using the moniker “Fxmsp” is charged with compromising networks, while the actors using the monikers “Lampeduza,” “Antony Moricone,” “Nikolay,” “BigPetya,” and others are responsible for maximizing unauthorised access monetisation.
"We assess with medium confidence that Fxmsp Group attempts to monetise unauthorised access through a network of private contacts before quasi-publicly creating a sales thread or auction for a larger pool of buyers. This suggests that forum auctions initiated by Fxmsp Group are only a fraction of the available unauthorised access that Fxmsp Group is attempting to monetise at any given time," the firm said.
According to Group-IB, Fxmsp breached the networks of at least 135 organisations across 44 countries before ceasing all activities in late 2019. The entity's last known exploit was selling access to the corporate network of a European energy company that subsequently suffered a ransomware attack in early 2020.
Fxmsp made his first appearance on an underground forum called fuckav[.]ru where he made enquiries about self-propagating persistent cryptomining malware and other Trojans for infecting corporate networks. Though initially lacking experience, he quickly got into the act and in no time, started selling access to the networks of a Nigerian bank, a chain of luxury hotels, and another African bank with a capitalization of $20 billion, among others.
In 2017, Fxmsp was temporarily banned from the Russian forum after he attempted to sell access to breached Russian networks, including the networks of the customs office in two Russian cities. Having learnt his lesson, the hacker hired another hacker with a nickname Lampeduza (aka Antony Moricone, BigPetya, Fivelife, Nikolay, tor.ter, andropov, and Gromyko) and started selling access to overseas corporate networks with greater gusto.
Fxmsp inspired many other hackers into breaching corporate networks for profit
"Fxmsp is one of the most prolific sellers of access to corporate networks in the history of Russian-speaking cybercriminal underground who publicly advertised the access to 135 companies, which brought him more USD 1.5 mln in profits. He set a trend and his success inspired many others to follow suit: the number of sellers of access to corporate networks increased by 92% in H2 2019 vs H1 2017, when Fxmsp entered the market," said Dmitry Volkov, Group-IB CTO and Head of Threat Hunting Intelligence.
"Prior to Fxmsp joining the underground, the sellers would offer RDP access to separate servers, without even bothering to ensure persistence or performing reconnaissance in the network. Fxmsp took this service into a whole new level. Despite rather simplistic methods he used, Fxmsp managed to gain access to energy companies, government organizations and even some Fortune 500 firms.
"Fxmsp had indeed ended all public operations, however, it’s not unlikely that he continues making private offers posing a threat to companies in many industries, regardless of their location. In light of this, we decided to release this report, make our materials on Fxmsp’s TTPs accessible to the public, and provide recommendations to help companies protect against the types of attacks conducted by Fxmsp and similar cybercriminals.
"We hope that our research will help to locate and arrest the threat actor hiding behind the nickname Fxmsp and his accomplices, which is why we’ve shared the expanded version of the report with international law enforcement agencies," he added.