As dangerous as they may be, a Russian cyberespionage group allied with the Kremlin known as APT28, Fancy Bear, Sofacy, Iron Twilight and Pawn Storm gets points for topicality.
When Russia’s most notorious hackers hired servers from a UK-registered company, they left a trove of clues behind, the BBC has discovered.
The hackers used the computers to attack the German parliament, hijack traffic meant for a Nigerian government website and target Apple devices.
The company, Crookservers, had claimed to be based in Oldham for a time.
It says it acted swiftly to eject the hacking team as soon as it learned of the problem.
Technical and financial records from Crookservers seen by the BBC suggest Fancy Bear had access to significant funds and made use of online financial services, some of which were later closed in anti-money laundering operations.
Russian hackers tried to breach the personal Gmail accounts of scores of US officials. Fancy Bear was responsible for waging a hacking campaign in 2015 and 2016 targeted towards the Democratic Party and the Clinton campaign with shrewd, politically savvy timing and aimed at disrupting the 2016 election.
Some of Fancy Bear’s activities had previously been identified by the cyber-security company Crowdstrike.
Indeed an internet protocol (IP) address that once belonged to a dedicated server hired via Crookservers was discovered in the malicious code used in the breach.
Over three years, Fancy Bear rented computers through Crookservers, covering its tracks using bogus identities, virtual private networks and hard-to-trace payment systems.
Researchers at cyber-threat intelligence company SecureWorks, who analysed information from Crookservers for the BBC, said it had helped them connect several Fancy Bear operations.
Mike McLellan of SecureWorks said the hackers employed poor tradecraft.
The server used to control the malware was hired through Crookservers by a hacker using the pseudonym Nikolay Mladenov who paid using Bitcoin and Perfect Money, according to records seen by the BBC.