‘State hackers rented systems from CrookServers for three years’

Hackers with ties to Russia’s government have used services from offshore hoster CrookServers for years, according to the BBC. The broadcaster exposes financial and administrative details about the working method.

Research by Secureworks on behalf of the BBC shows that the criminal hackers who worked via CrookServers paid with Bitcoin, used the now closed exchange BTC-e and worked with the services Liberty Reserve and Perfect Money. They paid at least 5,000 euros to CrookServers and the wallet for the bitcoin payments contained almost 85,000 euros in currency, claims the company Elliptic, which researched the payments for the BBC.

One of the servers CrookServers rented contained evidence of advanced malware being used against iOS devices to record sound and extract images, contacts and other data from the devices. Another system routed traffic from a Nigerian government site.

The use of CrookServers in ‘state hacks’ had already come to the fore in the investigation into the hacking of systems of the German Bundestag in 2015. CrookServers was briefly registered in Great Britain, then got an address in Pakistan but closed its doors in October. .

Criminal hackers often use offshore hosters, who as reseller often guarantee anonymity and are less inclined to cooperate with takedown requests. The owner of CrookServers tells the BBC that he never knew how customers used the servers, but that he closed the accounts in 2015 that were associated with malicious actions. SecureWorks relates more data obtained through CrookServers to the team of “state hackers” previously referred to as Fancy Bear, APT28, and Pawn Storm, among others.