Introduction: Analytics from Cybersecurity Help decided to publish the series of articles dedicated to the known APT groups (supposedly) linked to the Russian government. In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear (APT 28), Cozy Bear (APT 29), Voodoo Bear (Sandworm), and Berserk Bear (Energetic Bear).

This is the fourth part of the series which is dedicated to the Berserk Bear. You can read the first three parts here, here and here. This post doesn’t highlight all of Berserk Bear cyberattacks but briefs the reader with the most prominent incidents and their nature. As in European folklore fairy-tale “The Story of the Three Bears” each “Bear” in this series has its own character and distinctive features.

Berserk Bear

The Berserk Bear (also known as Dragonfly, Gamaredon, Crouching Yeti, IRON LIBERTY, TeamSpy, Havex, Koala, and Energetic Bear) is the most mysterious member of the “Bear” family. The main focus of the group is energy industry and facilities relying on ICS. But, while the threat actor has major capabilities in breaching critical infrastructure, there have been no evidence of disruptive effect of these attacks. So, this group stands apart from other APTs targeting critical infrastructure linked to the Russian intelligence services, such as Voodoo Bear, which is behind the first blackout in history caused by the cyberattack.

The Berserk Bear focuses on intelligence gathering from ICS networks with an unknown intent. In 2020, the CISA and FBI have warned U.S. organizations about possibility of implanting malware into their networks to cause damage in future attacks. In other words, even though the nature of Berserk Bear’s attacks wasn’t disruptive so far, it doesn’t mean that it will not become one in the future. The threat actor focuses on both learning the operation of energy grids and hijacking their critical systems; therefore, the APT potentially can disrupt these systems at some point.

According to different sources, Berserk Bear is active since 2010-2011. At first, hackers targeted defense and aviation industries but at the beginning of 2013 they switched their focus towards the energy facilities. As per cybersecurity company Symantec, in 2015, the group has resurrected as Dragonfly 2.0, but there is some doubt about the extent of the overlap between the first and the second operations, that’s why some cyber security professionals track them as separate APTs.

According to the U.S. Congressional Research Service, the group is led by Federal Security Service (FSB), Russia’s primary domestic security agency responsible for internal security and counterintelligence. Allegedly, the Berserk Bear is the FSB’s 18^th Center for Information Security. In 2017, the U.S. authorities indicted this unit’s officers for breaching Yahoo! and millions of email accounts.

The Berserk Bear leverages various infection vectors to gain a foothold inside a victim’s network, including phishing, watering hole attacks – by placing malware on industrial-related websites – and trojanized software. The Berserk Bear’s arsenal consists of backdoors like Goodor, DorShel, and Karagany, which aren’t linked to any specific threat actor. This helps the APT to avoid the attribution. In particular, in 2016-2017, the DorShel backdoor was distributed using malicious versions of standard applications for Windows machines. The Karagany backdoor was installed using forged Flash updates.

Another one major difference from other members of “Bear” family – in particular, Fancy Bear and Cozy Bear – is that the group prefers not to use any zero-day vulnerabilities. The group makes use of a Citrix (CVE-2019-19781), Microsoft Exchange (CVE-2020-0688), Fortinet VPN (CVE-2018-13379), and Microsoft Netlogon (CVE-2020-1472) vulnerabilities.

The list of Berserk Bear’s targets includes utility companies and government organizations in Europe, Turkey and U.S.

Summary: Berserk Bear is an APT-group allegedly linked to the Russia’s intelligence service FSB. The threat actor targets energy and utility companies for reconnaissance and information gathering. It looks like the group learns how facilities operate with aim to prepare a springboard for future attacks. Even though the nature of Berserk Bear’s attacks wasn’t disruptive so far, it doesn’t mean that it will not become one in the future.