When Russia’s most notorious hackers hired servers from a UK-registered company, they left a trove of clues behind, the BBC has discovered.
The hackers used the computers to attack the German parliament, hijack traffic meant for a Nigerian government website and target Apple devices.
The company, Crookservers, had claimed to be based in Oldham for a time.
It says it acted swiftly to eject the hacking team – dubbed Fancy Bear – as soon as it learned of the problem.
Technical and financial records from Crookservers seen by the BBC suggest Fancy Bear had access to significant funds and made use of online financial services, some of which were later closed in anti-money laundering operations.
Fancy Bear – also known as APT28, Sofacy, Iron Twilight and Pawn Storm – has been linked to Russian intelligence.
The group played a key role in 2016’s attack on the US’s Democratic National Committee (DNC), according to security experts.
Indeed an internet protocol (IP) address that once belonged to a dedicated server hired via Crookservers was discovered in malicious code used in the breach
The spies who came in for milk
Early in 2012, Crookservers claimed to be based at the same address as a newsagent’s on an unassuming terraced road in Oldham, according to historical website registration records.
But after a short period, the listing switched to Pakistan. The BBC has seen no evidence the shop or its employees knew how the address was being used or that Crookservers had any real connection to the newsagent’s.
Crookservers was what is known as a server reseller. It was an entirely online business. The computers it effectively sublet were owned by another company based in France and Canada.
The BBC identified Crookservers’s operator as Usman Ashraf.
Social media and other online accounts suggest he was present in the Oldham area between 2010 and mid-2014. He now seems to be based in Pakistan.
Mr Ashraf declined to record an interview, but provided detailed answers to questions via email.
Despite his company’s name, he denied knowing he had had hackers as customers.
“We never know how a client is using the server,” he wrote.
When in 2015 he had been alerted to the hackers, he said, he had acted swiftly to close their accounts.
He said he had also carried out a “verification” process, culling 60-70% of the company’s accounts he had suspected of being misused.
“There is 0% compromise on abusive usage,” he said.
Joining the dots
Over three years, Fancy Bear rented computers through Crookservers, covering its tracks using bogus identities, virtual private networks and hard-to-trace payment systems.
Researchers at cyber-threat intelligence company Secureworks, who analysed information from Crookservers for the BBC, said it had helped them connect several Fancy Bear operations.
Senior security researcher Mike McLellan said the hackers had exhibited poor “tradecraft”.
One communication shows one hacker, using the pseudonym Roman Brecesku, had complained that his server had been “cracked”.