Presentation information

The baffling Berserk Bear: a decade’s activity targeting critical infrastructure

Joe Slowik (Paralus LLC)
live only
UTC on Day 3
FRIDAY 02 OCTOBER
Berserk Bear, alternatively referred to as Dragonfly, Crouching Yeti, and several other names, has compromised multiple networks across several continents since at least 2010. In that time, Berserk Bear infiltrated numerous industrial and critical infrastructure entities – but with no known, deliberate disruptive effect. In this sense, Berserk stands apart from other entities targeting critical infrastructure linked to Russian intelligence organizations, such as Sandworm, which induced multiple disruptions in various entities over the same period.

Berserk thus appears a curious entity: capable of leveraging various sophisticated techniques, such as vendor and supply chain intrusions, to breach some of the most sensitive civilian institutions in Europe and North America, while seemingly doing nothing with such access. Yet such activity for all its lack of direct impact is not benign, and likely does not represent mere information gathering. Rather, Berserk’s actions represent long-term capability and access development designed to prepare for action in the most frightening of environments: outright conflict between Berserk’s sponsors or directors (likely Russian strategic leadership) and various Western interests.

In this paper, we will explore Berserk Bear’s decade of operations, including an overview of technical capabilities and efforts, to understand this enigmatic threat actor. While doing so, we will uncover items previously linked to this group’s activity and also disclose likely physical disruption operations caused by this group accidentally, resulting in significant damage to victim environments. As a result of this discussion, we will not only learn more about a particularly interesting threat actor, we will also discover vital aspects concerning supply chain intrusions, cyber contributions to preparation for kinetic warfare, and what happens when intrusions in cyber-physical environments produce unintended results.
Joe Slowik
Paralus LLC Joe Slowik conducts threat research covering critical and industrial infrastructure. Since 2009, Joe has contributed to a variety of national security and commercial missions from the US Navy to various industrial sectors, while also producing significant research and analysis for general threat intelligence and threat hunting purposes.
arrow left Back

The baffling Berserk Bear: a decade’s activity targeting critical infrastructure

Joe Slowik (Paralus LLC)
Berserk Bear, alternatively referred to as Dragonfly, Crouching Yeti, and several other names, has compromised multiple networks across several continents since at least 2010. In that time, Berserk Bear infiltrated numerous industrial and critical infrastructure entities – but with no known, deliberate disruptive effect. In this sense, Berserk stands apart from other entities targeting critical infrastructure linked to Russian intelligence organizations, such as Sandworm, which induced multiple disruptions in various entities over the same period.

Berserk thus appears a curious entity: capable of leveraging various sophisticated techniques, such as vendor and supply chain intrusions, to breach some of the most sensitive civilian institutions in Europe and North America, while seemingly doing nothing with such access. Yet such activity for all its lack of direct impact is not benign, and likely does not represent mere information gathering. Rather, Berserk’s actions represent long-term capability and access development designed to prepare for action in the most frightening of environments: outright conflict between Berserk’s sponsors or directors (likely Russian strategic leadership) and various Western interests.

In this paper, we will explore Berserk Bear’s decade of operations, including an overview of technical capabilities and efforts, to understand this enigmatic threat actor. While doing so, we will uncover items previously linked to this group’s activity and also disclose likely physical disruption operations caused by this group accidentally, resulting in significant damage to victim environments. As a result of this discussion, we will not only learn more about a particularly interesting threat actor, we will also discover vital aspects concerning supply chain intrusions, cyber contributions to preparation for kinetic warfare, and what happens when intrusions in cyber-physical environments produce unintended results.
Joe Slowik
Paralus LLC Joe Slowik conducts threat research covering critical and industrial infrastructure. Since 2009, Joe has contributed to a variety of national security and commercial missions from the US Navy to various industrial sectors, while also producing significant research and analysis for general threat intelligence and threat hunting purposes.