The U.S. Department of Justice and the U.S. Attorney’s Office from the Western District Of Washington recently revealed the identity of the “Invisible God” hacker as a citizen of Kazakhstan, Andrey Turchin, a.k.a. “fxmsp”, 37.
The individual was charged with various federal crimes related to a prolific, financially motivated cyber-crime group that hacked the computer networks of a broad array of corporate entities, educational institutions and governments throughout the world.
U.S. Attorney Brian T. Moran, said that the “fxmsp” group established persistent access, or back-doors, to victim networks, which then advertised and sold to other cyber-criminals subjecting victims to a variety of cyber-attacks and fraud.
According to the five-count indictment and records on file, from at least October 2017 through the date charges were returned by a Grand Jury, in December 2018, Turchin and his accomplices perpetrated an ambitious hacking enterprise broadly targeting hundreds of victims across six continents, including more than 30 in the United States.
Turchin and his co-conspirators then marketed and sold the network access on various underground forums commonly frequented by hackers and cybercriminals, such as Exploit.in, fuckav.ru, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t, among others.
Prices typically ranged from a couple thousand dollars to, in some cases, over a hundred thousand dollars, depending on the victim and the degree of system access and controls.
Many transactions occurred through use of a broker and escrow, which allowed interested buyers to sample the network access for a limited period to test the quality and reliability of the illicit access.
As has been publicly reported, the “fxmsp” group has been linked to numerous high-profile data breaches, ransomware attacks, and other cyber intrusions. According to the Group iB, out of the 44 countries hit, 135 of the companies hit were in light industry, IT and Retail. Turchin made at least USD 1.5 million through three years of these activities.
As reported by BleepingComputer, their modus operandi as described in the diagram, consisted of remote desktop protocol attacks and credential stealing botnets that targeted anti virus companies to extract source codes and gain access to internal networks to obtain assets.
Singapore-based cybersecurity firm Group iB believes that the group might still be around. BankInfoSecurity believes that by April 2019, three anti-virus vendors, namely McAfee, Trend Micro and Norton (Symantec) had their source code stolen by the group. Yelisey Boguslavskiy, AdvIntel’s CEO told Information Security Media Group that he is of the opinion that the anti-virus hacking was a by-product of fxmsp’s larger gamble. The group wanted to make their botnet tougher for security software to identify.
Perhaps more worryingly, is that Boguslavskiy believes the fxmsp group may still be working privately using their botnet or perhaps even joining forces with other botnet operations.
AdvIntel’s report back in December of 2019 turned up a hig-profile threat actor, “b.wanted”. This group relies on a multi-layered set of access backups, botnet infections, access via credentials, access to the domain controller and access via remote desktop protocols too.
According to Boguslavskiy, the genius of this solution is that all four types of accesses secure each other. “In case one method is being compromised, the other will still maintain the actor’s visibility into the victim’s network…I personally believe that it is likely that b.wanted and the Fxmsp may be the same person, or members of the same team,” Boguslavskiy concluded.
Sources: US Department Of Justice, Group iB, BleepingComputer, BankInfoSecurity and MIT Technology Review
Follow Asia Blockchain Review on:
First published on: Asia Blockchain Review
