Berserk Bear APT Penetrates German Infrastructure via Supply Chain Attacks

The resurgence in energy sector attacks

• In May 2020, the Berserk Bear hacking group continued its efforts to target German companies in the energy, water, and power sectors by using the supply chain to access their IT systems.
• In these attacks, the main goal of the hackers is to use publicly available as well as custom-built malware to gain persistent entry into the victim’s IT network or production systems and steal sensitive information.

Other recent attacks by Berserk Bear

• In June 2018, Berserk Bear attempted to penetrate the computer networks of German energy and electricity providers and breached the office networks of a few companies.
• In March 2018, the group used a compromised core router to launch attacks against the US critical infrastructure providers, including energy, nuclear, water, aviation, and manufacturing firms.
• In October 2017, Berserk Bear targeted energy sector organizations in Europe and North America. 
• In September 2017, an attack campaign targeted Western energy companies with a variety of infection vectors in an attempt to gain access and exfiltrate data to an external server.

Observation by experts

• According to Talos, the group targeted critical infrastructure, energy sectors, including nuclear power primarily in Europe and the United States, and leveraged template injection techniques. 
• Berserk Bear group has exclusively used a range of malware tools such as Bitsadmin, Goodor, Impacket, Karagany, and Phisherly in its campaigns against the energy sector. Some of these tools appear to have been custom developed.
• According to Symantec, the group mainly launched campaigns for sabotage and destruction of critical infrastructure and energy companies around the world. Berserk Bear campaigns have used a variety of infection vectors to steal credentials, gain access to a victim’s network, including spam emails, watering hole attacks, and malicious software.

Best practices