Over the last half a decade, Russian state-sponsored hackers have triggered blackouts in Ukraine, released history’s most destructive computer worm, and stolen and leaked emails from Democratic targets in an effort to help elect Donald Trump. In that same stretch, one particular group of Kremlin-controlled hackers has gained a reputation for a very different habit: walking right up to the edge of cybersabotage—sometimes with hands-on-the-switches access to US critical infrastructure—and stopping just short.
Last week the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency published an advisory warning that a group known as Berserk Bear—or alternately Energetic Bear, TEMP.Isotope, and Dragonfly—had carried out a broad hacking campaign against US state, local, territorial, and tribal government agencies, as well aviation sector targets. The hackers breached the networks of at least two of those victims. The news of those intrusions, which was reported earlier last week by the news outlet Cyberscoop, presents the troubling but unconfirmed possibility that Russia may be laying the groundwork to disrupt the 2020 election with its access to election-adjacent local government IT systems.
In the context of Berserk Bear’s long history of US intrusions, though, it’s much harder to gauge the actual threat it poses. Since as early as 2012, cybersecurity researchers have been shocked to repeatedly find the group’s fingerprints deep inside infrastructure around the globe, from electric distribution utilities to nuclear power plants. Yet those researchers also say they’ve never seen Berserk Bear use that access to cause disruption. The group is a bit like Chekhov’s gun, hanging on the wall without being fired through all of Act I—and foreshadowing an ominous endgame at a critical moment for US democracy.
“What makes them unique is the fact that they have been so focused on infrastructure throughout their existence, whether it’s mining, oil, and natural gas in different countries or the grid,” says Vikram Thakur, a researcher at security firm Symantec who has tracked the group over several distinct hacking campaigns since 2013.
The US gov called out a lot of Russian hackers' cyberattacks in the past week. But most puzzling are the warnings about those who *haven't* attacked. What are we to make of a group that's dug into US infrastructure for years but never pulled the trigger? https://t.co/q0hGqDWzl8
— Andy Greenberg (@a_greenberg) October 27, 2020