If Russia hired the most notorious hackers, the servers of a company based in the UK, she has discovered Links to a treasure trove of clues back to the BBC.
The Hacker used the Computer to attack the German Parliament, hijack traffic intended for a Nigerian government website and target Apple devices.
The company, crooks verse, had claimed, based in Oldham for a period of time.
He says it acted quickly to eject the hacking team called Fancy Bear – as soon as he learned of the problem.
Technical and financial records of crooks verse is seen by the BBC Fancy bear beat has access to significant financial resources and made the use of online financial services, some of which were later closed in the anti-money laundering operations.
Fancy Bear – also known as ” APT28, the Sofacy, iron Twilight and Pawn Storm in connection with the Russian intelligence.
The group played an important role in 2016, the attack on the American Democratic National Committee (DNC), according to security experts.
In fact, an internet Protocol (IP) address, which once belonged to a dedicated server rented through crooks verse was discovered, the malicious code into the breachThe spies who came in for milk
The beginning of 2012, crooks verse claims based on the same address, such as a newspaper seller on a nondescript row house street in Oldham, after the historic website registration records.
But after a short time, the list turned out to be Pakistan. The BBC has seen no evidence or the business, knew its employees, such as the address that was used, or that crooks verse had download no real connection to the newspaper.
Crooks verse was what is known as a server reseller. It was a completely online business. To rent the Computer effectively were in possession of an other company based in France and Canada.
The BBC identified the crooks verse operator as Usman Ashraf.
Social media and other online accounts suggest that he was present in the Oldham area, between 2010 and mid-2014. He seems to be now in Pakistan.
Mr Ashraf declined an interview, but detailed answers to questions via E-Mail.
Despite his company name, he hackers had been denied as a customer.
“We never know how a client with the server,” he wrote.
If in the year 2015, he had been alerted of the hacking, as he said, he had acted quickly to close their accounts.
He said he had a “verification” process, clubs, 60-70% of the company’s accounts, which he had suspected, and abused.
“There is 0% compromise on the misuse,” he said. Connect the dots
Over three years, Fancy Bear Computer by Crooks to rented, on his tracks with false identities, virtual private networks and hard-to-track-payment-systems.
Researchers at the cyber-threat intelligence company Secureworks, the said analyzed information to crooks verse for the BBC, that have helped them, the connection of several Fancy Bear operations.
Senior security researcher Mike McLellan said the hackers had shown poor “tradecraft”.
One communication shows a hacker using the pseudonym Roman Brecesku, had cracked complaining that his server was “”.
Crooks is the verse above in connection with an attack on the German Parliament.
The server used to control the malware was hired by crooks verse of a hacker with the pseudonym of Nikolay Mladenov, paid with Bitcoin and Perfect Money, according to records seen by the BBC.
The hacker used the server until June 2015, when it was deleted for crooks verse request the following reports in the media about the attack.
This server, the IP address will be also used in malware, the opponent, some of the participants at the Farnborough air show in 2014.
Fancy Bear malware attack on a British TV station and the DNC also contain this IP address, although the server was not more Wear in the imagination that control when these attacks occurred.
A financial account used Mladenov was also another hacker, the rent under the pseudonym Klaus Werner, to more computers, the crooks verse.
A server rented from Werner diverted” traffic received “by a legitimate Nigerian government website, according to the Secureworks analysis.Apple Attack
The financial account used Mladenov and Werner.of Fancy Bear hackers – including two with the name Bruno Labrousse and Roman Brecesku – rent other servers crooks verse
A server and the E-Mail address used to have rent it seem to the left of “advanced espionage” malware used to target iOS devices.
The malware was capable of turning on the voice recording and the theft of SMS messages.
Other E-Mail used, rentals, Server can be linked to an attack against the Bulgarian State Agency for National security.
But there are eight dedicated servers, which are tied to the same financial information, the use of which is unknown – suggesting known, it may Bear other Fancy attacks, it is not open to the public.Follow the money
Fancy Bear spent at least $6,000 (£4,534) with crooks verse about a variety of services offered, an additional level of anonymity.
They include Bitcoin, Liberty Reserve and Perfect Money. Liberty Reserve was later closed after an international money-laundering investigation.
The BBC has asked a UK-based company called Elliptic, specializing in the identification Bitcoin-related “illegal activity” to analyze Fancy Bear’s Bitcoin payments.
The investigator-in-charge Tom Robinson said his team had found the wallet, which was the source of these funds. He said that the bitcoins contained in it, were “in the value of around $100,000”.
Elliptic the source for some of the funds in the wallet to the digital currency exchange BTC-e.
In July, BTC-e was closed by the US authorities and the Russian alleged founder accused of money laundering arrested in Greece.
Although BTC-e is reportedly popular with Russian cybercriminals, the BBC has no evidence that management was aware that its customers were Wearing Fancy.Continue To Operating
The financial and technical records link together multiple attacks, the Bear previously tied up Fancy.
And Yes, it is possible that following the financial trail that more revelations may cause.
Crooks verse closed at 10. October. Fancy Bear operations, however, is not.