A three-year analysis of Fxmsp’s activity on underground forums uncovered details on how the threat actor compromised networks of more than 130 targets, including SMEs, government organisations, banks, and Fortune 500 companies all around the world.
The report shows how Fxmsp’s cybercriminal career evolved from a low-level hacker to one of the most important players of the Russian-speaking underground.
Group-IB’s team uncovered Fxmsp’s TTPs and established his presumed identity.
Dmitry Volkov, CTO of Group-IB said: “He set a trend and his success inspired many others to follow suit: the number of sellers of access to corporate networks increased by 92 percent in H2 2019 vs H1 2017 when Fxmsp entered the market.
“Prior to Fxmsp joining the underground, the sellers would offer RDP access to separate servers, without even bothering to ensure persistence or performing reconnaissance in the network.
Despite the fact that Fxmsp has ceased all public activity, it is believed it is not unlikely that he continues to attack corporate networks and sell access to them.
Group-IB decided to release the report “Fxmsp: ‘The Invisible God of Networks,’” to share its expanded version with international law enforcement agencies.
It has also made its materials on Fxmsp’s tools and tactics available to the general public.
The geography of victims
Fxmsp gained global infamy in May 2019, after it was reported that the networks belonging to big-name antivirus software companies was compromised.
In about three years Fxmsp managed to gain access to corporate networks of 135 companies in 44 countries, including in the US, Russia, Singapore, the UK, and elsewhere.
According to Group-IB researchers’ conservative estimates, Fxmsp and his accomplice are likely to have made at least US$ 1.5 million (£1.2 million) throughout their operations.
But this does not include the 20 percent of companies to which he offered access “without naming the price” and the sales he made through private messages, with actual earnings are believed to be much higher.
The victims were mostly companies in light industry and focused on small production of consumer goods, while the second favourite targets were companies offering IT services.
Around nine percent of victim networks belonged to government organisations, while four companies successfully attacked by the threat actor were included in the Fortune Global 500 ranking in 2019.
Volkov added: “Fxmsp took this service into a whole new level. Despite rather simplistic methods he used, Fxmsp managed to gain access to energy companies, government organisations and even some Fortune 500 firms.
“Fxmsp had indeed ended all public operations, however, it’s not unlikely that he continues making private offers posing a threat to companies in many industries, regardless of their location.
“In light of this, we decided to release this report, make our materials on Fxmsp’s TTPs accessible to the public, and provide recommendations to help companies protect against the types of attacks conducted by Fxmsp and similar cybercriminals.”
Despite the fact that Fxmsp stopped all public activity in late 2019, Group-IB discovered that he was selling access to a European energy company that was the victim of a ransomware attack in 2020.