Wow. There will be a lot of media coverage about this one, but let’s start with the DOJ’s press announcement and indictment:
Prolific hacker sold network access to other cybercriminals on various underground forums, enabling various further cyberattacks
Seattle – An indictment was unsealed today in the Western District of Washington charging a citizen of Kazakhstan, ANDREY TURCHIN, a/k/a “fxmsp,” 37, with various federal crimes related to a prolific, financially motivated cybercrime group that hacked the computer networks of a broad array of corporate entities, educational institutions, and governments throughout the world, announced U.S. Attorney Brian T. Moran. The “fxmsp” group established persistent access, or “backdoors,” to victim networks, which they then advertised and sold to other cybercriminals subjecting victims to a variety of cyberattacks and fraud.
“Cybercrime knows no international borders, and stopping these crimes requires cooperation between an array of international partners. I commend Kazakhstan for its assistance in this investigation,” said U.S. Attorney Brian T. Moran. “I am hopeful these critical international partnerships between cybercrime investigators will lead to holding Andrey Turchin accountable in a court of law.”
“Sophisticated cybercrimes can be extremely difficult to investigate. However, by working closely with our international law enforcement partners at the UK’s National Crime Agency, along with victims, private sector security researchers and great cooperation from our international law enforcement partners in Kazakhstan, the FBI was able to disrupt Mr. Turchin and his alleged co-conspirator’s criminal intrusions,” said Raymond Duda, Special Agent in Charge FBI Seattle Field Office. “This case demonstrates the FBI’s commitment to uncover and counter cyber criminals, domestic or abroad.”
According to the five-count indictment and records on file, from at least October 2017 through the date charges were returned by a Grand Jury, in December 2018, TURCHIN and his accomplices perpetrated an ambitious hacking enterprise broadly targeting hundreds of victims across six continents, including more than 30 in the United States. Widely known in hacking circles by the moniker “fxmsp,” TURCHIN employed a collection of hacking techniques and malicious software (malware) to gain and maintain access to victim networks. For instance, he often used specially designed code to scan the Internet for open Remote Desktop Protocol (RDP) ports and conduct brute-force attacks to initially compromise victim networks. Once inside the victim’s system, he moved laterally throughout the network and deployed additional malicious code to locate and steal administrative credentials and establish persistent access. The conspirators often modified antivirus software settings to allow malware to continue to run undetected.
TURCHIN and his co-conspirators then marketed and sold the network access on various underground forums commonly frequented by hackers and cybercriminals, such as Exploit.in, fuckav.ru, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t, among others. Prices typically ranged from a couple thousand dollars to, in some cases, over a hundred thousand dollars, depending on the victim and the degree of system access and controls. Many transactions occurred through use of a broker and escrow, which allowed interested buyers to sample the network access for a limited period to test the quality and reliability of the illicit access. As has been publicly reported, the “fxmsp” group has been linked to numerous high-profile data breaches, ransomware attacks, and other cyber intrusions.
TURCHIN is charged with conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud. Conspiracy to commit computer fraud is punishable by up to five years in prison. The two counts of computer fraud and abuse (hacking) are punishable by up to ten and five years in prison, respectively. Conspiracy to commit wire fraud is punishable by up to 20 years in prison. Access device fraud is punishable by up to ten years in prison.
The charges contained in the indictment are only allegations. A person is presumed innocent unless and until he or she is proven guilty beyond a reasonable doubt in a court of law.
The case is being investigated by the FBI Seattle Office, Cyber Crime Task Force, with the cooperation of the United Kingdom’s National Crime Agency (NCA), and with assistance from the U.S. Department of Justice’s Criminal Division’s Office of International Affairs, the FBI Legal Attaché Offices in London and Nur-sultan, and the National Security Committee of the Republic of Kazakhstan (KNB).
The case is being prosecuted by Assistant United States Attorney Steven Masada.