Major antivirus companies, banks, insurance providers, government agencies, large hotels, wineries, restaurants, airlines. Think of almost any kind of company and there’s a good chance a prolific, financially-motivated hacker known as Fxmsp has broken into it, or attempted to, according to a report released Tuesday.
Dubbed the “invisible god of networks,” he’s a suspected male from Kazakhstan who claimed to have broken into 135 companies since his first appearance in 2017, according to the report. Group-IB, a security company that recently shifted operations from Russia to Singapore, estimated he’s made $1.5 million along the way, working with an unidentified accomplice known as Lampeduza to sell access to victim networks.
He came to prominence in May last year after claiming to have broken into a handful of cybersecurity companies: McAfee, Symantec and Trend Micro. (Trend was the only one to confirm a breach of its labs). The hacker was reportedly offering access to the antivirus software source code and various product design documents for $300,000.
A brief history of a hacker
The name Fxmsp was first seen by Group-IB in 2016 on a Russian hacking forum. At that point, he appeared to be breaching company networks and using the stolen compute power within to mine cryptocurrency. To create new cryptocurrency, complex mathematical problems have to be solved, which typically needs substantial compute power. Hackers will often steal that compute power from networks they’ve broken into.
Over time, Fxmsp moved on to more sophisticated cybercriminal sales, acquiring access to networks via remote desktops after scanning the web for vulnerable systems.
His targets were random, Group-IB found. “Fxmsp always scans a range of IP addresses within a city or a country for certain open ports. Based on the cybercriminal’s messages posted on underground forums, to do so he uses a popular software called Masscan as well as more advanced scanners,” Dmitry Volkov, CTO of Group-IB, told Forbes. “Whoever has got an open RDP [remote desktop protocol] port falls victim to Fxmsp. Despite this rather simplistic method he used, Fxmsp managed to gain access to energy companies, government organizations and even some Fortune 500 firms.”
He moved over to an infamous hacking forum called exploit[.]in, where he began selling access to business networks from October 2017, offering a route into the systems of a Nigerian bank. That same month, he claimed he had access to the network belonging to a chain of luxury hotels with locations in the Dominican Republic, Cuba, Panama, the U.S., Europe, amongst other destinations. He was selling access to 600 servers and 1,000 workstations used by the chain, which could be used to either steal banking information or espionage and data theft. By January 2018, he was showing off an American map containing the locations of properties of yet another hotel chain he claimed to have hacked.
By July 31 2018, Fxmsp had offered access to 51 companies in 21 countries on exploit[.]in. The minimum average price for advertised sales $268,000, Group-IB calculated.
After apparently teaming up with another hacker known as Lampeduza, the sales were diversified across numerous forums. It was Lampeduza who claimed that any buyer would become the “invisible god of networks.” “Gaining access alone means nothing. But when you obtain access that gives control of the entire company, including all networks, PCs and laptops within that network, and all the credentials for networks, PCs and domain controllers – that’s a huge challenge,” Lampeduza wrote in one ad. Domain controllers police who can connect to a business network and offer hackers a passkey to prowl a breached business’ accounts, such as their Microsoft and Google email or document services.
Though they were banned from the hacking forum for selling single company access to multiple parties, they continued with private sales and shifted focus to other forums, using multiple personas, Group-IB found.
A link to Kazakhstan
Group-IB collected all the contact information and website registrations it had linked to Fxmsp over the years and used it to trace it back to a VK.com profile of a man in Almatay, Kazakhstan. (Forbes has chosen not to print his name as he was unreachable for comment at the time of publication and no official government allegations have been made).
The hacker’s main mistake was to include his name in some domain registrations that the security researchers were able to tie to an individual, according to the report, which also claims he was born in the 1980s.
Group-IB, which has previously worked closely with Europol, says it has passed its findings onto international law enforcement agencies, though was not authorized to comment on whether any police action on Fxmsp was imminent.
Some believe Fxmsp is more than one person. As Alex Holden, founder of cybersecurity company Hold Security told Forbes, “he is definitely not the brains or technology of the group.” He believes the gang has “minimized” their public footprint to sell “to an established and vetted audience.”
Indeed, as of today, Fxmsp has disappeared from hacker forums and is no longer offering such deep access to his victims’ networks. He’s either given up or has shifted solely to private sales. Or he’s simply operating under a different name on better shielded corners of the web.