New information has come to light about the activity of the Russian hacking group Fxmsp, which last year advertised access to the networks of three suppliers. cyber security. Researchers monitoring Fxmsp's activities underground forum, measured the attacks carried out by the hacking team and revealed the alleged one ID card of the invader. The Fxmsp hacking team became widely known about a year ago when cybersecurity boutique Advanced Intelligence (AdvIntel) published reports on the team's efforts to close a $ 300.000 sale deal access in networks owned by Symantec, Trend Micro and McAfee. The group has lowered its tone since it came to the attention of the media, but it is very likely that it will continue to operate through private messaging.
Researchers from Group-IB examined the Fxmsp group's activity in the forums where it advertised its business, estimating that the group has so far violated networks of at least 135 companies in 44 countries. Its targets included banks, small and medium-sized enterprises businesses, government agencies as well as companies listed on the Fortune 500. The Group-IB estimates that since about 2016, Fxmsp has earned at least $ 1,5 million from selling access to networks. In May 2019, AdvIntel stated that Fxmsp is a threat that has earned about $ 1.000.000, taking advantage of violations carried out at the expense of companies. The profit can seem quite large for hackers who have little to no experience in trading their "assets". However, Fxmsp was not alone in all this. However, the real profit made by the hacking team is estimated to be much higher in reality, since the transactions for access to 20% of the companies that were violated, were done privately and were not accompanied by a public price.
According to Group-IB, Fxmsp stopped their public activity at the end of 2019, but not before advertising access to a power company in Europe that fell victim. ransomware attack in 2020. One such company affected by ransomware this year is the Italian multinational Enel. According to Yelisey Boguslavskiy, director of security research at AdvIntel, Fxmsp was part of a crew called GPTitan, which consisted of experts who aimed to operate secretly in financial settings to steal. data customers from high profile networks. GPTitan contributed to the hacking team's activity by two other crews, one in China and one in USA. It was a collaboration that led to data breaches by antivirus companies from the spring of 2019. It seems that Fxmsp has stopped operating on its own and is now operating as part of a larger team. The non-hacking department of Fxmsp was responsible for marketing and generating revenue from access to networks and data. A network of subsidiaries operating under the pseudonym Antony Moricone offered to give the stolen information to hackers and illegal information traders, who used it to their advantage in the decision-making process, to companies they were interested in.
Boguslavskiy does not consider it unlikely that the pseudonyms of Antony Moricone will be used by a single individual in many forums, according to the Group-IB report. Specifically, the researchers of Group-IB identified the pseudonyms of Lampeduza in other forums: Antony Moricone, BigPetya, Fivelife, Nikolay, tor.ter, andropov and Gromyko. In addition, the researchers revealed in a report what the identity may be behind the hacking team Fxmsp: Andrey Turchin (who appears to be from Kazakhstan), the same as what BleepingComputer found in a survey last year. Dmitry Volkov, Group-IB's CTO, told Fxmsp that he had set a trend that led to a doubling of the number of retailers in networks specializing in corporate interference in the second half of 2019. Volkov added that Fxmsp may still be active, keeping its business private. Even if it is not, it is now in the forefront, it has set an example that others can follow.