In 2017, Symantec discovered the same hackers carrying out a more targeted set of attacks against US energy sector targets. At the time, the security researchers described it as a “handful” of victims, but Thakur now says they numbered in the dozens, ranging from coal mining operations to electric utilities. In some cases, Symantec found, the hackers had gone so far as to screenshot control panels of circuit breakers, a sign that their reconnaissance efforts had gone deep enough that they could have started “flipping switches” at will—likely enough to cause some sort of disruption if not necessarily a sustained blackout. But again, the hackers appear not to have taken full advantage. “We did not see them turning off the lights anywhere,” he says.
Six months later, in February of 2018, the FBI and DHS would warn that the hacking campaign—which they named Palmetto Fusion—had been carried out by Russian state-sponsored hackers, and also confirmed reports that the hackers’ victims had included at least one nuclear power generation facility. The hackers had gained access only to the utility’s IT network, though, not its far more sensitive industrial control systems.
Today Berserk Bear is widely suspected of working in the service of Russia’s FSB internal intelligence agency, the successor to the Soviet-era KGB. CrowdStrike’s Meyers says the company’s analysts have come to that conclusion with “pretty decent confidence,” due in part to evidence that aside from its foreign infrastructure hacking, Berserk Bear has also periodically targeted domestic Russian entities and individuals, including political dissidents and potential subjects of law enforcement and counterterrorism investigation, all in line with the FSB’s mission.
That’s a contrast with other widely reported state-sponsored Russian hacking groups Fancy Bear and Sandworm, who have been identified as members of Russia’s GRU military intelligence agency. Fancy Bear hackers were indicted in 2018 for breaching the Democratic National Committee and the Clinton campaign in a hack-and-leak operation designed to interfere with the 2016 US presidential election. Six alleged members of Sandworm were indicted by the US Department of Justice last week in connection with cyberattacks that have caused two blackouts in Ukraine, the NotPetya malware outbreak that inflicted $10 billion in damage globally, and the attempted sabotage of the 2018 Winter Olympics.
Berserk Bear appears to be the FSB’s more restrained version of the GRU’s Sandworm cyberwar unit, says John Hultquist, director of intelligence at FireEye. “This is an actor whose mission appears to be to hold critical infrastructure under threat,” Hultquist says. “The difference is we’ve never seen them actually pull the trigger.”
Just why Berserk Bear would toe the line of critical infrastructure disruption without crossing it over so many years remains a subject of debate. Hultquist argues that the group may be preparing for a potential future geopolitical conflict, one that warrants an act of cyberwar such as attacking an enemy’s power grid—what cybersecurity analysts have long described as “preparing the battlefield.”
The latest round of Berserk Bear breaches could be that sort of preparation, Hultquist warns, for coming attacks on state, municipal, and other local governments responsible for administering the current election. According to cybersecurity firm Symantec, three of Berserk Bear’s attempted operations also targeted airports on the West coast of the United States, including San Francisco International Airport. Symantec’s Thakur imagines a future where Berserk Bear is mobilized to cause disruptive—if not necessarily disastrous—effects, like “lights out in a small part of the country, or a certain airline has trouble refueling their planes.”
But CrowdStrike’s Meyers, who has tracked Berserk Bear for eight years, says he’s come to believe that the group may be playing a more subtle game, one that has more indirect but immediate, psychological effects. Every one of its breaches, no matter how seemingly minor, triggers a disproportionate technical, political, and even emotional response. “If you can make US-CERT or CISA deploy a team every time they find a Berserk Bear target, if you can make them publish stuff for the American public and get their partners from the intelligence community and law enforcement involved, you’re basically doing a resource attack against the machine,” Meyers says, drawing an analogy with a hacker technique that overwhelms a target computer’s resources with requests. Meyers points out that last week’s CISA advisory describes widespread scanning for potential victims, not the quieter, more targeted tactics of a group making stealth its highest priority. “The more they can run these theatrics, the more they can make us go freaking nuts… They’re getting us spun up. They’re burning our cycles.”