Security researchers say a "high-profile Russian- and English-speaking hacking collective" managed to infiltrate three of the top antivirus firms in the US and steal "sensitive source code" related to the development of AV software and tools. The group is trying to sell the data for $300,000.
The good news for consumers is that this breach had nothing to do with personal data—it doesn't appear that any names, addresses, email addresses, payment info, or any such data was swiped. However, that's where the good news ends.
This breach was all about stealing the code that makes AV software and tools tick. In the wrong hands, that kind of code can be used to find ways of thwarting protections that AV software provides.
According to a security report published by Advanced Intelligence (AdvIntel), the group responsible is called "Fxmsp" and has a long history of selling sensitive information from high-profile global government and corporate entities.
"On April 24, 2019, Fxmsp claimed to have secured access to three leading antivirus companies. According to the hacking collective, they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies’ internal networks," AdvIntel says.
"The collective extracted sensitive source code from antivirus software, AI, and security plugins belonging to the three companies. Fxmsp also commented on the capabilities of the different companies’ software and assessed their efficiency," AdvIntel adds.
Screenshots provided by Fxmsp point to 30TB worth of stolen data, among which is information about each company's development documentation, artificial intelligence model, web security software, and antivirus software base code.
AdvIntel did not say which specific AV companies are affected, but did tell Arstechnica that it notified the potential victims through partner organizations, and also provided details to law enforcement.
To date, Advintel says the "credible hacking collective" has netted a profit in the neighborhood for $1 million for selling previously stolen data.