A little-known New York-based threat intelligence company, Advanced Intelligence LLC (AdvIntel), says it has proof that three US-based antivirus companies have been hacked by a Russian collective dubbed “Fxmsp”, which it claims has been peddling their “exclusive source code” and network access online for $300,000.
The company published a report Thursday with some details, saying it has contacted law enforcement. It did not name the three companies. The hackers claimed to have “extracted sensitive source code from antivirus software, AI, and security plugins” it said, adding that it held the threat group to be credible.
“Fxmsp offered screenshots of folders purported to contain 30 terabytes of data, which they allegedly extracted from these networks. The folders seem to contain information about the company’s development documentation, artificial intelligence model, web security software, and antivirus software base code.”
Whether screenshots of folders “seeming” to contain anything constitutes proof of the trio of serious breaches is an open question, but for what it is worth, AdvIntel seems convinced: its subject matter experts assess with “high confidence” that Fxmsp is a “credible hacking collective that has a history of selling verifiable corporate breaches returning them profit close to $1,000,000”, AdvIntel said in its report.
The company added: “The collective provided a list of specific indicators through which it is possible to identify the company even when a seller is not disclosing its name… Targeting antivirus companies appears to have been the primary goal of Fxmps’ latest network intrusions. The actor [with which they engaged] claimed that antivirus breach research has been their main project over the last six months, which directly correlates with the six-month period during which they were silent on the underground forums where they normally post. This period started with their seeming disappearance in October 2018 and concluded with their return in April 2019.”
Yelisey Boguslavskiy, AdvIntel’s director of research told Ars that his company notified “the potential victim entities” of the breach through partner organisations. (It was not immediately clear why his company had not done so directly.) Computer Business Review has contacted AdvIntel for more information.
Boguslavskiy’s LinkedIn profile says he is a former Flashpoint and Kroll analyst, who has experience as an election staffer with Russian opposition leader Alexey Navalniy. The company lists two employees and made its first post a week ago. Boguslavskiy has a Twitter account that has made just one post.
Antivirus Companies Hacked: More Detail Needed to Sustain Claim
Tim Mackey, Principal Security Strategist, Synopsys CyRC said: “This is a case where I fear there is more rumour than fact. The source code image simply shows assembly code – something which is readily obtainable by running a debugger on any application, and which requires no direct access to any source code.”
He added: “Understanding assembly code is a skill commonly available within desktop application development teams. While it might help a malicious group to have access to the full source code for an application in creating their attacks; the reality is anyone targeting an anti-virus agent is likely very skilled in assembly language and might find source code more of a distraction.”
“What is more concerning are claims of access to the networks of the AV companies. With such access to servers providing threat intelligence, a malicious group could be positioned to mask their activities, replace legitimate code or agents, and then create a rich target list who would be unaware of any changes in risk…”
“[AV users] should confirm that our anti-malware solutions have the digital signatures on them from our actual vendor. The process to do this varies by operating system, but can be easily performed by an end user. In the event of a discrepancy, contact the vendor and seek guidance from them.”