The US Department of Justice has unsealed an indictment charging a 37-year-old Kazakhstani citizen with crimes related to a financially motivated cyber criminal ring that conducted attacks against corporate entities, educational institutions, and governments across the globe.
The accused man, Andrey Turchin, also known as "fxmsp", allegedly worked together with other members of cybercriminal group to plant backdoors on compromised networks to establish persistent access, which they then sold to other malicious actors.
According to DoJ, since October 2017, Turchin and his accomplices targeted hundreds of organizations across six continents, including more than 30 in the United States.
To compromise target networks Fxmsp often used specially designed tools to scan the Internet for open Remote Desktop Protocol (RDP) ports and gained access to victims’ systems via brute-force attacks, the DoJ alleges. Once inside the network, the accused leveraged various hacking tools to steal administrative credentials and establish persistent access. Oftentimes, the attackers modified antivirus software to evade detection.
Turchin sold the network access on various underground forums, such as Exploit.in, fuckav.ru, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t. The asking prices varied from a couple thousand dollars to, in some cases, over a hundred thousand dollars, depending on the victim and the degree of system access and controls.
“Many transactions occurred through use of a broker and escrow, which allowed interested buyers to sample the network access for a limited period to test the quality and reliability of the illicit access. As has been publicly reported, the “fxmsp” group has been linked to numerous high-profile data breaches, ransomware attacks, and other cyber intrusions,” the DoJ said.
Turchin faces five criminal counts, including conspiracy to commit computer hacking, computer fraud and abuse, conspiracy to commit wire fraud, and access device fraud. The most serious charge, conspiracy to commit wire fraud, carries a sentence of up to 20 years.