A high-profile hacking collective claims it compromised the networks of four premiere U.S. anti-virus vendors, and is offering to sell their stolen source code for $300,000, according to researchers.

The cybercriminal group, called Fxmsp, is known for breaching corporate and government networks, then selling their digital assets via a network of proxy resellers, according to New York cybersecurity firm Advanced Intelligence (AdvIntel), LLC. The company’s researchers have been tracking
Fxmsp on the dark web since July 2018, then the group first appeared in a top-tier Russian forum.

The source code was supposedly extracted from a combination of anti-virus software, artificial intelligence models and security plug-in software, Advanced Intelligence reported in a May 9 company blog post. For security and responsible disclosure reasons, the firm is not publicly naming the affected AV companies at this time.

For its part, AdvIntel believes the claims are truthful. “We have high confidence and saw direct evidence suggesting that Fxmsp does have companies’ files,” AdvIntel Director of Security Research Yelisey Boguslavskiy told SC Media today in an interview. “We believe with moderate-to-high confidence that it is possible to extract source codes from these files, if a sufficient technical skill is present.”

The first stirrings of trouble began in March 2019, as AdvIntel collected dark web intelligence related to corporate network breaches and an offer to sell stolen data. On April 24, the researchers were able to confirm Fxmsp’s attempted sale of AV companies’ data.

“According to the hacking collective, they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies’ internal networks,” the AdvIntel blog post states.

Even though the post references only three victimized AV companies, Boguslavskiy told SC Media that on May 5 Fxmsp claimed that it had breached a fourth company. However, further details including the identity of the fourth company remain a mystery, as they have “never been disclosed” by Fxmsp, he stated.

To help market their illicit goods in dark web forums, the hackers included screenshots of folders purportedly containing 30 TB of extracted data. “The folders seem to contain information about the company’s development documentation, artificial intelligence model, web security software, and antivirus software base code,” the post continues.

The hackers also included comments on and assessments of the AV products’ capabilities. “Fxmsp stated that one of the four companies has the most developed security technology, but the other one has a huge client base,” Boguslavskiy said.

Boguslavskiy also informed SC that Fxmsp recently placed the sale on hold, due to what the hacking collective claimed was a compromise of one of its accesses. “This happened after we have notified the victims; therefore, we are currently figuring out the connection between our notification and their [Fxmsp’s] compromise,” he said.

Fxmsp announced the sale would resume on dark web forums soon, noting that trusted actors would receive two-week notice, Boguslavskiy added.

AdvIntel assesses with “high confidence” that Fxmsp “is a credible hacking collective” that has profited over $1 million from the sale of stolen assets. According to the blog post report, the group is proficient in both Russian and English languages, and is known to access victims’ network environments “via externally available Remote Desktop Protocol (RDP) Servers and exposed Active Directory.” Its members may also have developed their own a credential-stealing botnet.

Until this most recent activity, the hacking group had been quiet since last October, when it abandoned dark web forums and migrated to secure messaging services in order to conduct business. “In April were able to resume monitoring Fxmsp again,” said Boguslavskiy.

AdvIntel is actively working with U.S. law enforcement on the case.