Threat Watch

Threat Actor Behind Fxmsp Group Indicted by US Authorities

On July 7th, the US District Court in Seattle unsealed an indictment that had been filed under seal in December 2018, charging Andrey Turchin with hacking and criminal conspiracy charges related to his alleged computer intrusion activity. Turchin is accused of being a member of a prolific cybercriminal group that hacked the computer networks of over 300 corporate, educational, and government institutions around the world. The members of the group used aliases including “fxmsp,” “BigPetya,” “Lampeduza,” “Antony Moriscone,” and others. The group used brute force attacks and stolen credentials to log in through remote access systems, including Remote Desktop Protocol (RDP) servers exposed to the Internet, as well as phishing email attacks to gain initial access to the computers of victims. Once they had obtained access, Turchin is alleged to have installed Remote Access Trojan (RAT) software to maintain access, stolen administrator account credentials, and moved laterally through the internal network to gain control of additional servers. After gaining complete control over a network, the group sold access to the victim systems to other cybercriminals through a variety of criminal forums and underground markets including Exploit[.]in, fuckav[.]ru, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t. Turchin is a citizen of Kazakhstan, where he was last believed to be located. Identification of Turchin is the result of an investigation by the FBI Seattle Field Office in coordination with the National Crime Agency of the United Kingdom.

ANALYST NOTES