Invisible god of networks unmasked by Singapore infosec company – iTWire
iTWire had registered to obtain the document which was made available to the public in June. iTWire sought the document last week when an article about the fact that the case against the man, Andrey Turchin of Kazakhstan, had been dropped, was being prepared, but it was not sent by email as is usual when one registers for documents of this nature. However, on Wednesday, a Group-IB representative made contact and sent over the document. It makes for fascinating reading.
The publication of this document led to the US Government being forced to drop its case against Turchin; Washington had issued a sealed indictment against the man, but on 7 July, following the publication of several articles about him based on the Group-IB document, the government requested a court to drop the secrecy, saying that it was being abandoned because the information about the man was now in the public domain.
The 44-page document drafted by the Singapore-based Russian firm lists Turchin’s career from day one onwards. The first indication of his activities came on 1 October 2017 when an ad was posted on one of the most popular Russian-speaking underground forums exploit.in, offering access to numerous corporate networks, a service which was rare in the underground at the time.
“For the first time, a user with an unusual nickname was offering access to all critically important network segments of compromised organisations and announced that a bank was among his victims, which back then was a unique lot,” Group-IB said. It marked the birthday of Fxmsp as a famous seller of access.
His name gained global notoriety in May 2019 when a report that the secure networks belonging to three leading anti-virus companies. The firms were named as US-based outfits Trend Micro, Symantec and McAfee by a security firm known as Advanced Intelligence.
Group-IB said Fxmsp had obtained access to parts of the anti-virus source code, analytical modules and design documents and was trying to hawk the lot for US$300,000. He explained that he carried out a targeted attack to get hold of this loot.
In three years, Fxmsp went from being an ordinary user on a hacker forum to a major player and soon acquired a loyal customer base and also appointed a dedicated sales manager.
By the time the news of the anti-virus company hacks broke, Fxmsp had stopped all public activity, but was at large and remained a threat to companies in many sectors. Group-IB said this was why it had released the report about Turchin.
The document said in a little more than three years, Fxmsp gained access to corporate networks in more than 44 countries and made more than $1.5 million, not including the 20% of companies to which he offered access without a price and the sales he made through private messages.
Group-IB said Turchin did not concentrate on any one industry, targeting major banks and hotel chains as well as small sites belonging to schools.
As far as methods of attack went, Fxmsp used scans of certain IP ranges, identified potential victims who had Remote Desktop protocol ports open, mainly port 3389 on Windows computers, and then used a program named RDP Recogniser to prepare for the attack. After that he used various brute-force methods to guess RDP passwords and gain entry.
Once he was in, Fxmsp disabled the existing anti-virus software and firewall and then added a few accounts, before achieving persistence on the network, by using a backdoor, probably something like the Meterpreter payload. In his own posts, Fxmsp said he set a long interval for connections with command and control servers: 15 days.
Fxmsp’s interests. Courtesy Group-IB
The next step, Group-IB said, was network reconnaissance with Fxmsp’s aim being to gain access to the domain controller. After that he would harvest dumps of all accounts and try to decrypt them, using the Windows Password Recovery program at least once.
Then followed the compromise of back-up servers after which Fxmsp began the process of monetisation with the aid of his accomplice, Lampeduza. In earlier stages, he would install a cryptocurrency miner on compromised machines.
Group-IB said Fxmsp first registered on a popular hacker forum in September 2016 known as fuckav[.]ru (hxxps://fuckav[.]ru/member.php?u=36898).
He was largely silent during the first two months after that but it was likely that he had already successfully hacked into many networks by then. However, he was unaware as to how he could turn this activity into cash.
On 11 November 2016, he wrote his first post, looking for self-propagating persistent cryptomining malware. But he only got a rude reply asking him to get to the point and avoid asking pointless questions.
Shortly thereafter, he started testing the banking trojan called Atmos which was popular at the time. A version of the Citadel malware. Atmos is based on the Zeus trojan and steals banking data through form grabbers and Web injections. It also intercepts card data from GET and POST requests and had an ATS function.
Atmos also has a VNC module which allows remote connections to the victim’s computer and the trojan uses keyloggers and webloggers and a module for stealing files. The source code of Atmos was shared publicly in June 2016 and it has a number of additional functions.
At that stage, Fxmsp left a long trail that could compromise his identity as many novice hackers do. In late November, he published his last post and took a break. After that he was inactive for six months until May 2017 when he posted saying he had gained partial access to a large network divided into three administrative zones and gained RDP access to some devices.
Geographical distribution of Fxmsp’s victims. The map doesn’t include international companies operating in different countries (5) and the companies to which Fxmsp was selling access without specifying their location. Courtesy Group-IB
There were 6000 servers in that network and he understood that brute-force attacks on all would be pointless so he asked other users for clues. It was suggested to him that he visit the site exploit[.]in where he would be able to find experts who could hack password hashes stored in Security Account Manager databases. Five hours later on the same day, he said his problem had been solved.
The editing of the post made it possible to identify one tool used to attack the corporate networks: Windows Password Recovery.
In June 2017, Fxmsp decided to experiment with new ways of breaking into networks and started using the popular pentesting app Metasploit PRO. He listed his interests on one underground forum.
While looking at his activity on this forum, Group-IB experts were able to identify the tools he used to gain persistence on systems.
In early June 2017, Fxmsp’s activity on the fuckav[.[ru forum decreased but users with his own nickname were found to be registering on other hacker platforms. One day after joining proxy-base[.[com, Fxmsp wrote that he had gained access to a network of 1.5 million devices. And by further scanning networks for unsecured RDP ports, he found 230,000 devices with port 3389 open.
“It is worth pointing out Fxmsp’s confusion,” the Group-IB report said. “Having gained access to a compromised company, he had no intention of selling that access or using sensitive information in the network for the purpose of reselling it. His only goal was mining the cryptocurrency Monero and he was planning on using the compromised organisation’s server capacities to do so. Two users — with the nicknames zunbah and Kibergyry — expressed their willingness to help.”
He was asked if the plan had succeeded and said it had, thanks to the use of DNS. This gave him confidence to the extent that he began talking of hacking into IBM and Microsoft.
While Fxmsp may have registered on the exploit[.] forum for other purposes, he had only focus: scanning a large network linked to stock trading platforms in search of vulnerabilities. After his last message on 16 June 2017, he went silent for three months.
Distribution of Fxmsp’s victims by industry. Courtesy Group-IB
On 1 October he was back advertising for sale access to corporate networks without the names of the companies and not providing contact details.
A week after posting this ad, he appeared to comprehend that finding buyers in the underground community would be difficult unless he named his victims. He then revealed the name of a bank in Nigeria. On 14 October, he mistakenly shared one of his Jabber accounts, werty5411@exploit[.]im, information that was later used to establish his identity.
On 10 October 2017, Fxmsp said he had gained access to a network of luxury hotels in the Dominican Republic, Cuba, Panama, the US and European countries. He claimed to be able to directly trace hotel guests and access the security services’ servers, Active Directory, databases and credit card control panels. He also shared a map showing geographical locations of the hotels.
On 12 December that year, Fxmsp said he had gained entry to an African bank which had capitalisation of US$20 billion. He claimed that he had access to user accounts, passwords, databases, accounts, bank cards, bank accounts, and accounting records.
He also tried to sell access in Russia: on 30 December, he put up an ad for sale of access through Radmin to an ATM and the website of customs offices in two Russian cities.
On 2 January, he indicated that access to the databases was no longer for sale, a hint that he had found a buyer. Soon he edited his message and said he did not work in countries of the Commonwealth of Independent States, states that were part of the old Soviet Union.
Group-IB pointed out that Russian hackers had an unspoken rule about not working in Russia and CIS states, mostly due to a fear of being arrested.
“When you operate in other countries, any potential criminal investigation proceedings will take place in the victim country, which means that the chances of being caught and extradited are minimal, particularly if you choose to target countries that have weak diplomatic ties with Russia, or none at all,” Group-IB pointed out.
Fxmsp eventually earned a ban from the forum for violating the rule of not working in Russia. He appeared to have learnt his lesson, promptly deleting all offers linked to Russia and the ban was lifted.
On 3 January 2018, he placed another ad for the sale of access to the network belonging to a company that builds and manages luxury hotels in the US. Two weeks later, he mentioned that he had 18 buyers at the time, being forced to show his hand to counter accusations that he did not have the access he boasted about.
On 6 February 2018, the author of an ad started selling access to an Indian company and its subsidiaries. He named eight companies, including two from the financial sector.
During his period of activity on exploit[.]in, Fxmsp advertised access to 51 companies in 21 countries, but stated the price in only a third of the cases. By then, after nine months, the minimum average access price he was asking was US$268,000, not including the sales he made through private messages.
Fxmsp went quiet again after advertising access to an Indonesian company in April 2018 and did not surface again until mid-July. In April, he published an ad for access to another five companies and appointed a user with the name Lampeduza as his sales manager.
Group-IB said Lampeduza registered on exploit[.]in on 10 April 2018. He used different pseudonyms on other platforms but Group-IB experts were able to find out that Antony Moricone, BigPetya, Fivelife, Nikolay, tor.ter, andropov, and Gromyko were all his nicknames.
The researchers made the connection between Fxmsp and Lampeduza because they often published similar messages. Before he started working with Fxmsp, Lampeduza sold bank card dumps (data stored on the card’s magnetic strip) as well as login details and passwords to Facebook accounts. He was also interested in hacking into Snapchat accounts. The contact details that Lampeduza provided were in the form of a Jabber account: zeusl1fe@exploit[.]im.
Group-IB said it discovered in early 2018 that Fxmsp and Lampeduza were working together. On 1 January, Lampeduza posted on the Omerta forum, saying he was looking for work. Later he began sharing posts on this forum about the sale of access to the same companies that Fxmsp had advertised.
In July 2018, the pair resumed their co-operation. On 16 July, a message appeared on an underground forum (en.wt1[.]la) about access to a corporate network belonging to a multinational retail franchise operator.
By analysing the brands involved, Group-IB specialists discover the name of the company. Fxmsp had advertised selling access to the same firm on exploit[.]in in February 2018. The message was published by a user with the nickname Fivelife, whose contact details showed the Jabber account zeusl1fe@exploit[.]im, which Lampeduza had shared on exploit[.]in.
Lampeduza then began sales again on Omerta under the nickname Antony Moricone. Though many of his posts were deleted, Group-IB was able to salvage the details.
From 10 September, Lampeduza started selective posts, concealing the names of companies from users who had less than 50 posts. But Group-IB was able to retrieve the information.
On 26 September, Lampeduza made the post that gave Fxmsp his name, writing “[You will have access to the company’s] entire network … You will become THE INVISIBLE GOD OF NETWORKS…”
in a post about having access to compromised servers. He said that if access was lost, it could be regained through backdoors left in the network.
By late October 2018, the work of both Fxmsp and Lampeduza was threatened because they were trying to sell access to the same network to numerous buyers. The topic was raised by a user named g0rx who said he knew someone with the nickname mimikatz who had bought access to a corporate network from Fxmsp only to find later that there were cryptominers in it. As a result, both Fxmsp and Lampeduza were banned from the forum on 24 October.
They resumed activity on forums in mid-March next year. Fxmsp’s activity culminated in April that year when Advanced Intelligence claimed to have been told by Fxmsp that he had compromised three servers belonging to anti-virus companies.
According to Fxmsp, he had also exfiltrated source code of the anti-virus agents, analytics modules, and security plug-ins for browsers from the compromised network. He was asking US$300,000 for access and the code. Trend Micro admitted that it had been breached but the other two companies said nothing.
In May 2019, Lampeduza announced he was no longer working with Fxmsp and had nothing to do with the source code leak from the anti-virus companies. By then, Lampeduza was dealing only with his regular customers.
On 19 September, he said he was able to sell access to a new corporate network. Group-IB said it was difficult to access how much money Fxmsp had made in that time as he had offered access to only 22 corporate networks in 2019 for a total price of US$124,100.
Group-IB said it was reasonable to assume that even though they were banned from exploit[.]in, both Fxmsp and Lampeduza continued their activity from May to September.
The pair officially suspended their co-operation in December 2019, with Lampeduza posting on Omerta as Antony Moricone that he was looking for a job as an underground sales manager. On 17 December, he confirmed to the forum users that Fxmsp was out of the game.
As to his identity, Group-IB said initially, Fxmsp used the Jabber account uwerty5411@exploit[.]im for communicating with other users. The company noticed that this account did not resemble his standard nickname and made a note of this pseudonym for the future.
“Most of the time, the threat actor used the unique nickname Fxmsp, which ultimately was the basis for establishing his true identity,” it said. “As the nickname is rare, Group-IB specialists were able to uncover his email account on the m***.ru platform: Fxmsp@m***[.]ru.
“The attacker has never mentioned this email on any forums, so it could have been a coincidence, but we decided to check whether this email address had been used to register any accounts on underground forums.
“As a result, specialists uncovered overlaps with the attacker’s accounts. The email had been used to register accounts on the following forums: proxy-base[.]com, lolzteam[.]net, exploit[.]in, and fuckav[.]ru.”
Two Skype accounts set up by Fxmsp provided a further means of identification and a phone number +7778316*** was also given. The operator’s DEF code shows phone number belongs to the company Kcell/Activ in Kazakhstan.
A close look at the email address Fxmsp@m***[.]ru showed it was linked to an account in the Russian social network My World and an account in the name of Andrey Turchin was discovered on the Russian social network VK.com (hxxps://vk[.]com/id***). The photo from this account matched the photo published on My World.
“Based on the information above, Andrey A. Turchin, born on December ***, 198***, living in Almaty, Kazakhstan, (according to social media profiles, domain registration data, and the phone number), is presumably the attacker who hides under the nickname Fxmsp,” Group-IB concluded. “The fact that he uses the same nicknames and the common interests related to exchange platforms both confirm this.”