Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly, Dragonfly 2.0, DYMALLOY, Energetic Bear, Ghost Blizzard,[2] Havex, IRON LIBERTY, Koala, or TeamSpy)[3][4][5] is a Russian cyber espionage group, sometimes known as an advanced persistent threat.[1] According to the United States, the group is composed of "FSB hackers," either those directly employed by the FSB or Russian civilian, criminal hackers coerced into contracting as FSB hackers while still freelancing or moonlighting as criminal hackers.[6] Four accused Berserk Bear participants, three FSB staff and one civilian, have been indicted in the United States and are regarded by the United States Department of Justice as fugitives.

Berserk Bear
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Region
Russia
Methodsmalware
Official language
Russian
Parent organization
FSB[1]
Formerly called
Crouching Yeti
Dragonfly
Dragonfly 2.0
DYMALLOY
Energetic Bear
Havex
IRON LIBERTY
Koala
TeamSpy

Activities

edit

Berserk Bear specializes in compromising utilities infrastructure, especially that belonging to companies responsible for water or energy distribution.[1][7] It has performed these activities in at least Germany and the U.S.[7] These operations are targeted towards surveillance and technical reconnaissance.[6]

Berserk Bear has also targeted many state, local, and tribal government and aviation networks in the U.S., and as of October 1, 2020, had exfiltrated data from at least two victim servers.[4] In particular, Berserk Bear is believed to have infiltrated the computer network of the city of Austin, Texas, during 2020.[8][9][6]

The group is capable of producing its own advanced malware, although it sometimes seeks to mimic other hacking groups and conceal its activities.[6]

Indictments unsealed 2022

edit

In 2021 federal grand juries in the United States indicted three personnel of the Russian Federal Security Service (FSB) and a civilian from the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM). These indictments were kept under seal until March 2022 when the United States publicly named the defendants and treated them as fugitives.

Evgeny Gladkikh

edit

Evgeny Gladkikh (Russian: Евгений Гладких): is accused of targeting network-connected safety equipment with the intent to gain the capability to sabotage them. He was indicted in the U.S. District Court for the District of Columbia [10]

"Center 16" defendants

edit

The indictment in the case United States v. Akulov, et al. is focused on members of a team within "Center 16" (Russian: 16-й Центр)[a] an FSB component also known as Military Unit 71330 (Russian: Bойсковая часть B/Ч 71330).

The British Foreign Office states that the full name of Center 16 is "Radio-Electronic Intelligence by Means of Communication" (TsRRSS); Russian: Центр радиоэлектронной разведки на средствах связи (ЦPPCC)[11]

The U.S. v. Akulov case was filed within the United States District Court for the District of Kansas.[12] The named defendants are:

  • Pavel Aleksandrovich Akulov (Russian: Павел Александрович Акулов, b. 2 July 1985) is described as a military officer assigned to Military Unit 71330, who held the rank of lieutenant as of 2013. Akulov is described as conducting surveillance and reconnaissance supporting the targeting of the Wolf Creek Generating Station computer network.[12]
  • Mikhail Mikhailovich Gavrilov (Russian: Михаил Михайлович Гаврилов, b. 7 November 1979) is described as Russian military intelligence officer assigned to Military Unit 71330. He has held the rank of captain and major. He is described as conducting computer intrusions into the computer networks of Wolf Creek and another unnamed entity ("Company 7") used to access energy, utility and critical infrastructure webmail login webpages.[12]
  • Marat Valeryevich Tyukov (Russian: Марат Валерьевич Тюков, b. 17 November 1982) is described as a Russian military intelligence officer assigned to Military Unit 71330. He is alleged to have gained unauthorized access to a server owned by an unnamed entity ("Company One") that was used for command and control infrastructure. He is also accused of tampering with updates to industrial control software which affected power and energy companies globally.[12]

FBI and Department of State designation

edit

The U.S. State Department Rewards for Justice Program is offering $10 million for tips that lead to the apprehension of the four named "Berserk Bear" suspects.

See also

edit

References

edit
  1. ^ "Center 16" is the translation contained within the indictments. Elsewhere, the Estonian Foreign Intelligence Service refers to the unit as "16th Centre." see "International Security and Estonia 2019" (PDF). valisluureamet.ee. Estonian Foreign Intelligence Service. pp. 56–60. Archived (PDF) from the original on 9 March 2022. Retrieved 6 April 2022.
  1. ^ a b c Greenberg, Andy. "The Russian Hackers Playing 'Chekhov's Gun' With US Infrastructure". Wired – via www.wired.com.
  2. ^ "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  3. ^ "Dragonfly 2.0, IRON LIBERTY, DYMALLOY, Berserk Bear, Group G0074 | MITRE ATT&CK®". attack.mitre.org.
  4. ^ a b "Russian state hackers stole data from US government networks". BleepingComputer.
  5. ^ Goodin, Dan (December 7, 2020). "NSA says Russian state hackers are using a VMware flaw to ransack networks". Ars Technica.
  6. ^ a b c d Bowen, Andrew S. (January 4, 2021). Russian Cyber Units (Report). Congressional Research Service. p. 2. Retrieved July 25, 2021.
  7. ^ a b "German intelligence agencies warn of Russian hacking threats to critical infrastructure". CyberScoop. May 26, 2020.
  8. ^ Hvistendahl, Mara; Lee, Micah; Smith, Jordan (December 17, 2020). "Russian Hackers Have Been Inside Austin City Network for Months". The Intercept.
  9. ^ "Austin officials quiet on reports that city network hacked". www.msn.com.
  10. ^ "Indictment" (PDF), United States v. Gladkikh (Court Filing), no. 1:21-cr-00442, Docket 1, D.D.C., 26 Aug 2021, retrieved 5 April 2022 – via Recap (PACER current docket view )
  11. ^ "Russia's FSB malign activity: factsheet". gov.uk. Foreign, Commonwealth & Development Office. 5 April 2022. Retrieved 6 April 2022.
  12. ^ a b c d "Indictment" (PDF), United States v. Akulov, et al. (Court Filing), no. 1:21-cr-20047, Docket 3, D.K.S., 26 Aug 2021, retrieved 5 April 2022 – via Recap (PACER current docket view )