Berserk Bear

Last updated
Berserk Bear
Type Advanced persistent threat
Purpose Cyberespionage, cyberwarfare
Region
Russia
Methods malware
Official language
Russian
Parent organization
FSB [1]
Formerly called
Crouching Yeti
Dragonfly
Dragonfly 2.0
DYMALLOY
Energetic Bear
Havex
IRON LIBERTY
Koala
TeamSpy

Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly, Dragonfly 2.0, DYMALLOY, Energetic Bear, Ghost Blizzard, [2] Havex, IRON LIBERTY, Koala, or TeamSpy) [3] [4] [5] is a Russian cyber espionage group, sometimes known as an advanced persistent threat. [1] According to the United States, the group is composed of "FSB hackers," either those directly employed by the FSB or Russian civilian, criminal hackers coerced into contracting as FSB hackers while still freelancing or moonlighting as criminal hackers. [6] Four accused Berserk Bear participants, three FSB staff and one civilian, have been indicted in the United States and are regarded by the United States Department of Justice as fugitives.

Contents

Activities

Berserk Bear specializes in compromising utilities infrastructure, especially that belonging to companies responsible for water or energy distribution. [1] [7] It has performed these activities in at least Germany and the U.S. [7] These operations are targeted towards surveillance and technical reconnaissance. [6]

Berserk Bear has also targeted many state, local, and tribal government and aviation networks in the U.S., and as of October 1, 2020, had exfiltrated data from at least two victim servers. [4] In particular, Berserk Bear is believed to have infiltrated the computer network of the city of Austin, Texas, during 2020. [8] [9] [6]

The group is capable of producing its own advanced malware, although it sometimes seeks to mimic other hacking groups and conceal its activities. [6]

Indictments unsealed 2022

In 2021 federal grand juries in the United States indicted three personnel of the Russian Federal Security Service (FSB) and a civilian from the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM). These indictments were kept under seal until March 2022 when the United States publicly named the defendants and treated them as fugitives.

Evgeny Gladkikh

Evgeny Gladkikh (Russian:Евгений Гладких): is accused of targeting network-connected safety equipment with the intent to gain the capability to sabotage them. He was indicted in the U.S. District Court for the District of Columbia [10]

"Center 16" defendants

The indictment in the case United States v. Akulov, et al. is focused on members of a team within "Center 16" (Russian:16-й Центр) [lower-alpha 1] an FSB component also known as Military Unit 71330 (Russian:Bойсковая часть B/Ч 71330).

The British Foreign Office states that the full name of Center 16 is "Radio-Electronic Intelligence by Means of Communication" (TsRRSS); Russian:Центр радиоэлектронной разведки на средствах связи (ЦPPCC) [11]

The U.S. v. Akulov case was filed within the United States District Court for the District of Kansas. [12] The named defendants are:

FBI and Department of State designation

The U.S. State Department Rewards for Justice Program is offering $10 million for tips that lead to the apprehension of the four named "Berserk Bear" suspects.

See also

Related Research Articles

<span class="mw-page-title-main">Information warfare</span> Battlespace use and management of information and communication technology

Information warfare (IW) is the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent. It is different from cyberwarfare that attacks computers, software, and command control systems. Information warfare is the manipulation of information trusted by a target without the target's awareness so that the target will make decisions against their interest but in the interest of the one conducting information warfare. As a result, it is not clear when information warfare begins, ends, and how strong or destructive it is.

<span class="mw-page-title-main">GRU (Russian Federation)</span> Russian military intelligence agency

The Main Directorate of the General Staff of the Armed Forces of the Russian Federation, formerly the Main Intelligence Directorate, and still commonly known by its previous abbreviation GRU, is the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation. The GRU controls the military intelligence service and maintains its own special forces units.

<span class="mw-page-title-main">Federal Security Service</span> Principal security agency of Russia

The Federal Security Service of the Russian Federation is the principal security agency of Russia and the main successor agency to the Soviet Union's KGB; its immediate predecessor was the Federal Counterintelligence Service (FSK) which was reorganized into the FSB in 1995. The three major structural successor components of the former KGB that remain administratively independent of the FSB are the Foreign Intelligence Service (SVR), the Federal Protective Service (FSO), and the Main Directorate of Special Programs of the President of the Russian Federation (GUSP).

<span class="mw-page-title-main">Konstantin Rykov</span> Russian politician (born 1979)

Konstantin Igorevich Rykov, a.k.a. Jason Foris is a Russian politician.

<span class="mw-page-title-main">Cyberattacks during the Russo-Georgian War</span> Series of cyber attacks during Russo-Georgian war in 2008

During the Russo-Georgian War, a series of cyberattacks swamped and disabled websites of numerous South Ossetian, Georgian, Russian and Azerbaijani organisations. The attacks were initiated three weeks before the shooting war began.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">Chinese espionage in the United States</span>

The United States has often accused the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companies in order to support China's long-term military and commercial development. Chinese government agencies and affiliated personnel have been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities, and a network of scientific, academic and business contacts. Prominent espionage cases include Larry Wu-tai Chin, Katrina Leung, Gwo-Bao Min, Chi Mak and Peter Lee. The Ministry of State Security (MSS) maintains a bureau dedicated to espionage against the United States, the United States Bureau.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.

<span class="mw-page-title-main">PLA Unit 61398</span> Chinese advanced persistent threat unit

PLA Unit 61398 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai, and has been cited by US intelligence agencies since 2002.

PLA Unit 61486 is a People's Liberation Army unit dedicated to cyberattacks on American, Japanese, and European corporations focused on satellite and communications technology. It is a unit that takes part in China's campaign to steal trade and military secrets from foreign targets.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on an adjacent building collapsed as a result of the explosion.

<span class="mw-page-title-main">DCLeaks</span> Hacker group

DCLeaks was a website that was established in June 2016. It was responsible for publishing leaks of emails belonging to multiple prominent figures in the United States government and military. Cybersecurity research firms determined the site is a front for the Russian cyber-espionage group Fancy Bear. On July 13, 2018, an indictment was made against 12 Russian GRU military officers; it alleged that DCLeaks is part of a Russian military operation to interfere in the 2016 U.S. presidential election.

<span class="mw-page-title-main">A.F. Mozhaysky Military-Space Academy</span>

A.F. Mozhaysky's Military-Space Academy is a Military Academy of the Armed Forces of the Russian Federation. It is located in Saint Petersburg. It is associated with the Russian Aerospace Defence Forces.

<i>The Plot to Hack America</i> Non-fiction book by Malcolm Nance

The Plot to Hack America: How Putin's Cyberspies and WikiLeaks Tried to Steal the 2016 Election is a non-fiction book by Malcolm Nance about the Russian interference in the 2016 United States elections. It was published in paperback, audiobook, and e-book formats in 2016 by Skyhorse Publishing. A second edition was also published the same year, and a third edition in 2017. Nance researched Russian intelligence, working as a Russian interpreter and studying KGB history.

<span class="mw-page-title-main">Yevgeniy Nikulin</span> Russian computer hacker (born 1987)

Yevgeniy Alexandrovich Nikulin is a Russian computer hacker. He was arrested in Prague in October 2016, and was charged with the hacking and data theft of several U.S. technology companies. In September 2020, he was sentenced to 88 months in prison.

<span class="mw-page-title-main">Dmitry Dokuchaev</span>

Dmitry Aleksandrovich Dokuchaev is a Russian convicted cyber criminal and a former intelligence officer of the Federal Security Service (FSB), the principal security agency of Russia. In April 2019, he was sentenced to six years in prison for treason.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

References

  1. "Center 16" is the translation contained within the indictments. Elsewhere, the Estonian Foreign Intelligence Service refers to the unit as "16th Centre." see "International Security and Estonia 2019" (PDF). valisluureamet.ee. Estonian Foreign Intelligence Service. pp. 56–60. Archived (PDF) from the original on 9 March 2022. Retrieved 6 April 2022.
  1. 1 2 3 Greenberg, Andy. "The Russian Hackers Playing 'Chekhov's Gun' With US Infrastructure". Wired via www.wired.com.
  2. "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  3. "Dragonfly 2.0, IRON LIBERTY, DYMALLOY, Berserk Bear, Group G0074 | MITRE ATT&CK®". attack.mitre.org.
  4. 1 2 "Russian state hackers stole data from US government networks". BleepingComputer.
  5. Goodin, Dan (December 7, 2020). "NSA says Russian state hackers are using a VMware flaw to ransack networks". Ars Technica.
  6. 1 2 3 4 Bowen, Andrew S. (January 4, 2021). Russian Cyber Units (Report). Congressional Research Service. p. 2. Retrieved July 25, 2021.
  7. 1 2 "German intelligence agencies warn of Russian hacking threats to critical infrastructure". CyberScoop. May 26, 2020.
  8. Hvistendahl, Mara; Lee, Micah; Smith, Jordan (December 17, 2020). "Russian Hackers Have Been Inside Austin City Network for Months". The Intercept.
  9. "Austin officials quiet on reports that city network hacked". www.msn.com.
  10. "Indictment" (PDF), United States v. Gladkikh (Court Filing), no. 1:21-cr-00442, Docket 1, D.D.C., 26 Aug 2021, retrieved 5 April 2022 via Recap ( PACER current docket view Lock-red-alt.svg)
  11. "Russia's FSB malign activity: factsheet". gov.uk. Foreign, Commonwealth & Development Office. 5 April 2022. Retrieved 6 April 2022.
  12. 1 2 3 4 "Indictment" (PDF), United States v. Akulov, et al. (Court Filing), no. 1:21-cr-20047, Docket 3, D.K.S., 26 Aug 2021, retrieved 5 April 2022 via Recap ( PACER current docket view Lock-red-alt.svg)