Security researchers say a “high-profile Russian- and English-speaking hacking collective” managed to infiltrate three of the top antivirus firms in the US and steal “sensitive source code” related to the development of AV software and tools. The group is trying to sell the data for $300,000.
The good news for consumers is that this breach had nothing to do with personal data—it doesn’t appear that any names, addresses, email addresses, payment info, or any such data was swiped. However, that’s where the good news ends.
This breach was all about stealing the code that makes AV software and tools tick. In the wrong hands, that kind of code can be used to find ways of thwarting protections that AV software provides.
According to a security report published by Advanced Intelligence (AdvIntel), the group responsible is called “Fxmsp” and has a long history of selling sensitive information from high-profile global government and corporate entities.
On April 24, 2019, Fxmsp claimed to have secured access to three leading antivirus companies. According to the hacking collective, they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies’ internal networks.
The collective extracted sensitive source code from antivirus software, AI, and security plugins belonging to the three companies. Fxmsp also commented on the capabilities of the different companies’ software and assessed their efficiency.
Screenshots provided by Fxmsp point to 30TB worth of stolen data, among which is information about each company’s development documentation, artificial intelligence model, web security software, and antivirus software base code.
AdvIntel did not say which specific AV companies are affected, but did tell Arstechnica that it notified the potential victims through partner organizations, and also provided details to law enforcement.
To date, Advintel says the “credible hacking collective” has netted a profit in the neighborhood for $1 million for selling previously stolen data.
On May 5, Fxmsp stated that one of the two teams orchestrating the attack against the AV companies compromised one access point while navigating through a victim’s client directory. The hackers are currently trying to regain access. This may have disrupted their original plans to sell the data.
They planned to offer accesses for some of the companies in mid-May, most likely, by using forums, however, this is not confirmed: they used the term ‘make a public sale’. But because of the compromise of one access point, he noted, the group now plans to continue to make private offers of the data, with the possibility that offers for the other companies may appear in forums later this month.