Article Lead Image

Wikimedia Commons (CC-BY-SA)

Hackers claim to be selling data from 3 major antivirus companies

Alleged chat logs say Symantec, McAfee, and Trend Micro are affected.


Mikael Thalen


Posted on May 14, 2019   Updated on May 20, 2021, 12:39 pm CDT

A cybersecurity research firm reported last week that a hacking group was claiming online that it had access to data from the networks of three major antivirus companies. Now, purported chat logs from that group, known as “Fxmsp,” reveals the names of those companies for the first time.

The original report, published last Thursday by AdvIntel, stated that Fxmsp was selling the data it allegedly stole from those companies, including documents and source code, for several hundred thousand dollars.

The hacking collective, which frequents both English and Russian forums, has reportedly earned close to $1 million through selling data pilfered in “verifiable corporate breaches.”

“They have a long-standing reputation for selling sensitive information from high-profile global government and corporate entities,” AdvIntel reported.

Alleged chat logs from Fxmsp given to BleepingComputer by AdvIntel revealed those companies to be Symantec, McAfee, and Trend Micro.

“Fxmsp talked about getting into the network of Trend Micro and stealing source code from the company, all without triggering detection,” BleepingComputer reported Tuesday.

The hacking collective was also reportedly “convinced that no one was watching them roaming inside the network of antivirus companies” as well.

Although AdvIntel stated last week that it had contacted the three antivirus companies to warn them of the hackers’ claims, Symantec denied ever being alerted in statements to the media.

Symantec appeared to change its story, though, after the chat log story was published. In a statement to BleepingComputer, Symantec confirmed that it had been contacted by AdvIntel.

“Symantec is aware of recent claims that a number of US-based antivirus companies have been breached,” Symantec said. “We have been in contact with researchers at AdvIntel, who confirmed that Symantec (Norton) has not been impacted. We do not believe there is reason for our customers to be concerned.”

AdvIntel concluded that Symantec’s statement was fair given that more evidence was needed in to prove it had been compromised. Trend Micro, however, did appear to have data stolen and released a statement in response.

The statement asserted that “an active investigation” was underway involving law enforcement and Trend Micro’s global threat research and forensic teams.

“At this moment, we are aware that unauthorized access had been made to a single testing lab network by a third party and some low-risk debugging related information was obtained,” a Trend Micro spokesperson said. “We are nearing the end of our investigation and at this time we have seen no indication that any customer data nor source code were accessed or exfiltrated.”

Yelisey Boguslavskiy, director of security research at AdvIntel, says Trend Micro’s denial is provably false.

“As for Trend Micro report regarding source codes, we can provide evidence of the actual files taken (more than 100 MB of the sym files) that the actor had access with over 30TB of source code and everything from Trend Micro,” Boguslavskiy told BleepingComputer.

McAfee, the last company reportedly targeted, released a vague statement providing little detail on whether it agreed with AdvIntel’s assessment.

“McAfee is aware of this threat claim targeting the industry,” the company told BleepingComputer. “We’ve taken necessary steps to monitor for and investigate it.”

Fxmsp is currently offering to sell both access information and source code, depending on the antivirus company, for up to $300,000.

Correction: A previous version of this story misattributed a Trend Micro quote (and a response to it) to Symantec.


H/T BleepingComputer

Share this article
*First Published: May 14, 2019, 3:49 pm CDT