Skip to main content

DOJ Charges "fxmsp" Hacker for Breaching 300 Organizations

by Chris Brook on Wednesday July 8, 2020

Contact Us
Free Demo

The hacker, based in Kazakhstan, sold backdoor access to over 300 victim networks, some for up to $100,000.

The U.S. Justice Department formally charged a hacker based in Kazakhstan this week for breaking into and maintaining a foothold on hundreds of networks worldwide.

According to the DOJ, which announced the charges Tuesday, the hacker, Andrey Turchin - known online as "fxmsp" - was responsible for breaking into a variety of organizations and then establishing backdoors, targets included educational institutes, corporate entities, and even governments.

Turchin hacked into and sold access to over 300 entities in total – then sold that access at a premium - some backdoors cost as much as $100,000; others cost a couple of thousand.

The indictment, unsealed in the United States District Court for the Western District of Washington, names two counts of computer fraud and abuse, conspiracy to commit wire fraud, access device fraud, and conspiracy to commit computer hacking.

"The objectives of the conspiracy included gaining increasing levels of access to, and control of, protected computers of victim entities through the use of deception and false representations and fraudulently obtained credentials. The objectives of the conspiracy further included, using such access and control obtained through deceptive means, to compromise additional computers and networks both internally and externally to the victim entity. The ultimate purpose of the conspiracy involved the selling of access to victim computer networks to other cybercriminal actors for financial gain."

Turchin and his associates - he worked alongside an eponymous group, "fxmsp," hacked the organizations for more than a year, between October 2017 and December 2018, using fairly run of the mill techniques, like by targeting open Remote Desktop Protocol ports, phishing campaigns, and brute force attacks. Once in, Turchin and company moved laterally, installed malware to steal passwords, remote access trojans, and bypassed antivirus settings to steal login credentials to ensure persistence.

According to the indictment, the group advertised access to over 300 organizations across six continents, including 30 entities in the U.S. Reports claim the group has earned at least $1.5 million thanks to their business model.

While the indictment doesn’t pin any particular data leaks on the group, its been a constant fixture in infosec stories over the last several years. It was mentioned in a 2018 FireEye report on internet crime - specifically it was linked to a global breach of a luxury hotel group. It was also connected to the sale of access to internal networks and assets belonging to three US-based antivirus companies in 2019.

The indictment doesn’t name any of the companies but says the group offered access to a luxury hotel group with locations across Europe, North Africa, Latin America, and the Caribbean, an Alaska petroleum company, a software developer in California, a U.S. hotel chain, an African power company, a private school, and a university in Puerto Rico, to name a few.

Of course, in today’s world, it’s unclear whether the indictment will actually amount to anything. The U.S. regularly charges individuals but oftentimes these hackers reside in far flung corners of the globe, usually in areas where extradition isn’t an option.

Tags:  hacking

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.