Federal prosecutors have indicted Andrey Turchin, a 37-year-old citizen of Kazakhstan, on five criminal counts related to his alleged involvement in a financially motivated cybercriminal hacking collective known as Fxmsp that the Department of Justice says cost victims tens of millions of dollars.
Turchin -- who also individually goes by the alias Fxmsp -- and other members of the group have claimed compromise of more than 300 businesses, educational institutions and governments in 40 countries and sold illegal access to these victims systems for profit, the DOJ alleges.
According to a federal indictment filed in December 2018 in the Western District of Washington and unsealed just this week, the Fxmsp actors would find its victims by scanning the internet for open Remote Desktop Protocol (RDP) ports and then conducting brute-force attacks on vulnerable machines. In other cases, the group would conduct targeted email phishing attacks designed to infect corporate employee with malware, the indictment continues.
After gaining illegal access to machines, Turchin and his accomplice allegedly would allegedly introduce additional malware such as remote access trojans, perform lateral movement around the larger corporate network, conduct digital reconnaissance and seek out and steal admin credentials.
The five-count indictment specifically covers malicious activities spanning from at least October 2017 through December 2018. Among the victims were entities described as a U.S. airline based in New York, global luxury hotel group, a port authority in Cowlitz County, Washington, a distributor of petro products in Alaska and an online transfer and digital payments services company in New York. The indictment also accuses the group of selling access to compromised point-of-sale terminals operated by various retailers, restaurants and food service providers.
In May 2019, the Fxmsp group claimed it had compromised the networks of four premiere U.S. anti-virus vendors, and had offered to sell their stolen source code for $300,000, according to researchers from New York cybersecurity firm Advanced Intelligence (AdvIntel), LLC. Three of the AV companies were later identified as McAfee, Symantec and Trend Micro. All three would publish statements downplaying the threat. While Trend Micro did confirm a breach of a “single testing lab network,” it asserted that only low-risk debugging-related information was exfiltrated. The indictment does not appear to reference this collection of incidents.
In late June, cybersecurity firm Group-IB published a detailed report and blog post on Fxmsp, estimating that the operators behind the group made at least $1.5 million before apparently ceasing activity in late 2019. The report cited the same Andrey Turchin as a possible actor, which may have prompted the DOJ to reveal its own charges.
Turchin has been charged with one count of conspiracy to commit computer hacking, two counts of computer fraud and abuse, one count of conspiracy to commit wire fraud, and one count of access device fraud. Collectively, these alleged crimes add up to a maximum of 50 years in prison.
“Cybercrime knows no international borders, and stopping these crimes requires cooperation between an array of international partners. I commend Kazakhstan for its assistance in this investigation,” said U.S. Attorney Brian Moran, in a DOJ press release. “I am hopeful these critical international partnerships between cybercrime investigators will lead to holding Andrey Turchin accountable in a court of law.”