Over the last few years, the activity of a group called Berserk Bear has caught the attention of the cybersecurity community. According to some sources, this group is also known as Dragonfly 2.0, or, as MITRE states, the two groups have at least some overlap). The group seems to have been active since 2011, and reemerged in 2014, and began to carry out serious cyberattacks in 2017.

That year, the German Federal Office for the Protection of the Constitution (BfV), which is in charge of the country’s domestic intelligence, reported that they had detected a cyberattack on the IT networks of German electricity and energy companies. These attacks originated in Russia, although, as is usually the case in cyberwar, the Kremlin denied any involvement. However, back in May, Berserk Bear once against resurfaced in Germany.

Possible Watering Hole_

According to an anonymous source in the German Government who spoke with Cyberscoop, several companies in the energy and electricity sector were once again targeted in cyberattacks carried out by this group. Analysts didn’t go into details about the attack on this occasion, but they believe they used both publicly available malware and malware specifically designed by the group. They also believe that the aim was not simply to obtain information from IT networks, but also to try to take over OT industrial control systems. This is why this group poses a huge threat.

In any case, experts believe that Berserk Bear tends to use a kind of attack called a watering hole. According to the MITRE denomination, this is a kind of drive-by compromise. Broadly speaking, the attack process is as follows:

  • The cyberattacker modifies the public website by inserting malicious code, via JavaScript, iFrames, or cross-site scripting. US-CERT suggests that Berserk Bear/Dragonfly tends to target websites with industrial information or information related to control processes that engineers or technicians often consult.
  • In this case, the malicious code aims to gather credentials from certain victims: Employees in organizations with critical infrastructure. To do this, it may limit its credential gathering to certain IP addresses.
  • Having gathered these credentials, the cyberattackers can then access the victims’ personal emails or even the intranet of the organization, which, in some cases, is linked to industrial OT systems. This way, they can copy industrial configurations and gain direct control of certain processes, even if they don’t manage to stop them.
  • The FBI’s forensic analysis has also determined that the group tries to erase their tracks, deleting registries and any malware installed if it has been used.

In other cases, Dragonfly hasn’t carried out watering hole attacks via websites. Instead, they’ve used email as an attack vector, employing spear phishing, making their victims believe that they were in an HR recruitment process for a competitor, for example.

Captura de pantalla de una Interfaz hombre máquina (HMI) o panel de control a la que Berserk Bear/DragonFly tuvo acceso, de acuerdo con la investigación forense del DHS y el FBI.

Screenshot of a human machine interface (HMI) or dashboard accessed by Berserk Bear/Dragonfly, from the DHS and FBi forensic investigation.

The greatest possible protection_

To avoid such cases, the German federal agencies and the DHS and FBI in the USA recommend that network administrators and CISOs perform comprehensive analyses of all IP addresses, domains, and systems in the organization in order to detect any anomalous behavior. They also recommend incorporating the signatures, YARA and Snort for the malware used by Dragonfly/Berserk Bear into their registries in order to be able to identify them.However, given that it is a highly advanced group that uses Living-off-the-Land techniques, their next cyberattacks are likely to use malware with new characteristics.As such, measures based on past cyberattacks are not enough.

This is why it is a good idea to have the support of an EDR system that uses an zero-trust approach. This way, you can stop any binary from running until it can be classified as trusted, thus stopping unknown malware. In addition to this, given that Berserk Bear uses watering holes on websites and email, it is also a good idea for organizations to ensure that their cybersecurity systems incorporate email and browser protection, as well as category-based URL filtering. All of this is brought together in Cytomic EDPR.

In the end, the critical infrastructure that countries need in order to function is at risk. Not only do many companies and the economy rely on this infrastructure, but so too do the lives of many people, as experts such as Antonio Grimaltos have explained. This is why these infrastructures require the most advanced, most comprehensive cybersecurity possible.