Berserk Bear, alternatively referred to as Dragonfly, Crouching Yeti, and several other names, has compromised multiple networks across several continents since at least 2010. In that time, Berserk Bear infiltrated numerous industrial and critical infrastructure entities – but with no known, deliberate disruptive effect. In this sense, Berserk stands apart from other entities targeting critical infrastructure linked to Russian intelligence organizations, such as Sandworm, which induced multiple disruptions in various entities over the same period.

Berserk thus appears a curious entity: capable of leveraging various sophisticated techniques, such as vendor and supply chain intrusions, to breach some of the most sensitive civilian institutions in Europe and North America, while seemingly doing nothing with such access. Yet such activity for all its lack of direct impact is not benign, and likely does not represent mere information gathering. Rather, Berserk’s actions represent long-term capability and access development designed to prepare for action in the most frightening of environments: outright conflict between Berserk’s sponsors or directors (likely Russian strategic leadership) and various Western interests.

In this paper, we will explore Berserk Bear’s decade of operations, including an overview of technical capabilities and efforts, to understand this enigmatic threat actor. While doing so, we will uncover items previously linked to this group’s activity and also disclose likely physical disruption operations caused by this group accidentally, resulting in significant damage to victim environments. As a result of this discussion, we will not only learn more about a particularly interesting threat actor, we will also discover vital aspects concerning supply chain intrusions, cyber contributions to preparation for kinetic warfare, and what happens when intrusions in cyber-physical environments produce unintended results.

Got a question about this presentation? To get in touch with the speaker, contact Joe on Twitter at @jfslowik or on email at [email protected].