Berserk Bear APT Penetrates German Infrastructure via Supply Chain Attacks

Berserk Bear APT, also known as Dragonfly 2.0, is a suspected Russian group that has been targeting government entities, energy facilities operators, and multiple US critical infrastructure sectors since at least December 2015, and it continues to do so.

The resurgence in energy sector attacks

Organizations in the energy sector in Germany, Switzerland, and Turkey, and the USA are being targeted by a new wave of cyberattacks, that could provide attackers the ability to sabotage or gain control of these systems.
  • In May 2020, the Berserk Bear hacking group continued its efforts to target German companies in the energy, water, and power sectors by using the supply chain to access their IT systems.
  • In these attacks, the main goal of the hackers is to use publicly available as well as custom-built malware to gain persistent entry into the victim’s IT network or production systems and steal sensitive information.

Other recent attacks by Berserk Bear

  • In June 2018, Berserk Bear attempted to penetrate the computer networks of German energy and electricity providers and breached the office networks of a few companies.
  • In March 2018, the group used a compromised core router to launch attacks against the US critical infrastructure providers, including energy, nuclear, water, aviation, and manufacturing firms.
  • In October 2017, Berserk Bear targeted energy sector organizations in Europe and North America. 
  • In September 2017, an attack campaign targeted Western energy companies with a variety of infection vectors in an attempt to gain access and exfiltrate data to an external server.

Observation by experts

Since 2017, the group’s activities have been observed at regular intervals, which has caused several experts to raise alarms for governments and businesses. National Cyber Security Centre (NCSC), UK, and authorities in the USA released alerts about ongoing campaigns.
  • According to Talos, the group targeted critical infrastructure, energy sectors, including nuclear power primarily in Europe and the United States, and leveraged template injection techniques. 
  • Berserk Bear group has exclusively used a range of malware tools such as Bitsadmin, Goodor, Impacket, Karagany, and Phisherly in its campaigns against the energy sector. Some of these tools appear to have been custom developed.
  • According to Symantec, the group mainly launched campaigns for sabotage and destruction of critical infrastructure and energy companies around the world. Berserk Bear campaigns have used a variety of infection vectors to steal credentials, gain access to a victim’s network, including spam emails, watering hole attacks, and malicious software.

Best practices

Users should emphasize multiple, overlapping, and mutually supportive defensive systems against single-point failures in any specific technology or protection method. Users should implement SMB egress traffic filtering on perimeter devices to prevent SMB traffic leaving your network onto the internet.