Threat Research

Dark Web Profile: Berserk Bear

SocRadar
Dark Web Profile: Berserk Bear

Berserk Bear is an FSB-linked espionage group active since at least 2010 that conducts long-running, stealthy intrusions against critical infrastructure, especially energy, telecom, aviation, and state/local networks. Their campaigns reuse legitimate admin tools, trojanize vendor software, and exploit router vulnerabilities (notably CVE-2018-0171) while deploying implants such as Havex to maintain persistent access. #BerserkBear #Havex

Keypoints

  • Berserk Bear (also tracked historically as TeamSpy, Dragonfly, Energetic Bear, Havex, Crouching Yeti, Koala, TeamSpy) is linked to the Russian FSB and has been active since at least 2010, focusing on long-term espionage rather than immediate financial gain.
  • The group targets critical infrastructure (energy and utilities), ICS/OT environments, telecommunications, aviation, SLTT networks, and research/academic institutions to steal design documents, credentials, and configuration files.
  • Initial access methods include spearphishing attachments/links, watering-hole compromises, trojanized vendor installers (supply-chain), and exploitation of public-facing applications and router weaknesses.
  • Persistence techniques emphasize router/switch compromise (e.g., exploiting Cisco Smart Install CVE-2018-0171 and router implants like SYNful Knock) plus backdoors on hosts and manipulated accounts/registry entries.
  • Post-compromise activity focuses on credential theft (NTLM, SAM, NTDS, LSA secrets), environment discovery (network, ICS devices, router configs), lateral movement via RDP/PsExec/pass-the-hash, and covert exfiltration (zipped archives over blended C2 channels).
  • Defensive priorities include MFA, rapid patching (including network gear), restricting management interfaces, hardening vendor supply chains, using EDR/allow-listing, and maintaining tested incident response and backups.

MITRE Techniques

  • [T1087.002 ] Account Discovery: Domain Account – Identified using batch scripts to enumerate domain users (‘DragonFly/Berserk Bear batch scripts to enumerate domain users.’)
  • [T1098.007 ] Account Manipulation: Additional Local or Domain Groups – They added accounts to administrator groups (‘DragonFly/Berserk Bear added accounts to administrators groups.’)
  • [T1583.001 ] Acquire Infrastructure: Domains – They registered domains for targeting (‘They registered domains for targeting.’)
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – They acquired VPS infrastructure (‘They acquired VPS infrastructure.’)
  • [T1595.002 ] Active Scanning: Vulnerability Scanning – They scanned for Citrix and Exchange vulnerabilities (‘They scanned for Citrix and Exchange vulnerabilities.’)
  • [T1071.002 ] Application Layer Protocol: File Transfer Protocols – They used SMB for C2 (‘They used SMB for C2.’)
  • [T1560 ] Archive Collected Data – They compressed data into .zip files (‘They compressed data into .zip files.’)
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – They added a Registry Run key (ntdll) for persistence (‘They added a Registry Run key (ntdll) for persistence.’)
  • [T1110 ] Brute Force – They attempted credential brute force (‘They attempted credential brute force.’)
  • [T1110.002 ] Password Cracking – They ran Hydra and CrackMapExec (‘They ran Hydra and CrackMapExec.’)
  • [T1059 ] Command and Scripting Interpreter – They used command-line interpreters (‘They used command-line interpreters.’)
  • [T1059.001 ] PowerShell – They ran PowerShell scripts (‘They ran PowerShell scripts.’)
  • [T1059.003 ] Windows Command Shell – They used batch scripts (‘They used batch scripts.’)
  • [T1059.006 ] Python – They used Python and installed Python 2.7 (‘They used Python and installed Python 2.7.’)
  • [T1584.004 ] Compromise Infrastructure: Server – They compromised websites to host C2 and modules (‘They compromised websites to host C2 and modules.’)
  • [T1136.001 ] Create Account: Local Account – They created local and administrator accounts (‘They created local and administrator accounts.’)
  • [T1005 ] Data from Local System – They collected local system data (‘They collected local system data.’)
  • [T1074.001 ] Data Staged: Local Data Staging – They staged data in %AppData%out (‘They staged data in %AppData%out.’)
  • [T1189 ] Drive-by Compromise – They used strategic web compromise and a custom exploit kit (‘They used strategic web compromise and a custom exploit kit.’)
  • [T1114.002 ] Email Collection: Remote Email Collection – They accessed email via Outlook Web Access (‘They accessed email via Outlook Web Access.’)
  • [T1190 ] Exploit Public-Facing Application – They exploited Citrix, Exchange, and Fortinet CVEs (‘They exploited Citrix, Exchange, and Fortinet CVEs.’)
  • [T1203 ] Exploitation for Client Execution – They exploited Adobe Flash CVE-2011-0611 (‘They exploited Adobe Flash CVE-2011-0611.’)
  • [T1210 ] Exploitation of Remote Services – They exploited Netlogon CVE-2020-1472 (‘They exploited Netlogon CVE-2020-1472.’)
  • [T1133 ] External Remote Services – They used VPNs and OWA for remote access (‘They used VPNs and OWA for remote access.’)
  • [T1083 ] File and Directory Discovery – They used batch scripts to list files and folders (‘They used batch scripts to list files and folders.’)
  • [T1187 ] Forced Authentication – They harvested hashed credentials via SMB and modified .LNK icons (‘They harvested hashed credentials via SMB and modified .LNK icons.’)
  • [T1591.002 ] Gather Victim Org Information: Business Relationships – They collected OSINT on business relationships (‘They collected OSINT on business relationships.’)
  • [T1564.002 ] Hide Artifacts: Hidden Users – They modified the Registry to hide accounts (‘They modified the Registry to hide accounts.’)
  • [T1562.004 ] Impair Defenses: Disable or Modify System Firewall – They disabled host firewalls and opened RDP port 3389 (‘They disabled host firewalls and opened RDP port 3389.’)
  • [T1070.001 ] Indicator Removal: Clear Windows Event Logs – They cleared Windows and other logs (‘They cleared Windows and other logs.’)
  • [T1070.004 ] Indicator Removal: File Deletion – They deleted files and screenshots (‘They deleted files and screenshots.’)
  • [T1105 ] Ingress Tool Transfer – They copied and installed tools on victims (‘They copied and installed tools on victims.’)
  • [T1036.010 ] Masquerading: Masquerade Account Name – They created accounts that looked like service or backup accounts (‘They created accounts that looked like service or backup accounts.’)
  • [T1112 ] Modify Registry – They used Reg to change Registry settings (‘They used Reg to change Registry settings.’)
  • [T1135 ] Network Share Discovery – They browsed file servers and viewed ICS/SCADA files (‘They browsed file servers and viewed ICS/SCADA files.’)
  • [T1588.002 ] Obtain Capabilities: Tool – They used Mimikatz, CrackMapExec, and PsExec (‘They used Mimikatz, CrackMapExec, and PsExec.’)
  • [T1003.002 ] OS Credential Dumping: Security Account Manager – They ran SecretsDump to dump SAM hashes (‘They ran SecretsDump to dump SAM hashes.’)
  • [T1003.003 ] OS Credential Dumping: NTDS – They dumped NTDS and obtained ntds.dit (‘They dumped NTDS and obtained ntds.dit.’)
  • [T1003.004 ] OS Credential Dumping: LSA Secrets – They dumped LSA secrets with SecretsDump (‘They dumped LSA secrets with SecretsDump.’)
  • [T1069.002 ] Permission Groups Discovery: Domain Groups – They enumerated domain admins and users via batch scripts (‘They enumerated domain admins and users via batch scripts.’)
  • [T1566.001 ] Phishing: Spearphishing Attachment – They sent emails with malicious attachments (‘They sent emails with malicious attachments.’)
  • [T1598.002 ] Phishing for Information: Spearphishing Attachment – They used Office attachments to harvest credentials (‘They used Office attachments to harvest credentials.’)
  • [T1598.003 ] Phishing for Information: Spearphishing Link – They used PDFs with links to credential-harvest sites (‘They used PDFs with links to credential-harvest sites.’)
  • [T1012 ] Query Registry – They queried the Registry for victim info (‘They queried the Registry for victim info.’)
  • [T1021.001 ] Remote Services: Remote Desktop Protocol – They moved laterally via RDP (‘They moved laterally via RDP.’)
  • [T1018 ] Remote System Discovery – They obtained host lists in the environment (‘They obtained host lists in the environment.’)
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – They used scheduled tasks to log out accounts and run files (‘They used scheduled tasks to log out accounts and run files.’)
  • [T1113 ] Screen Capture – They captured screens using scr.exe (ScreenUtil) (‘They captured screens using scr.exe (ScreenUtil).’)
  • [T1505.003 ] Server Software Component: Web Shell – They installed web shells on public servers (‘They installed web shells on public servers.’)
  • [T1608.004 ] Stage Capabilities: Drive-by Target – They compromised sites to host exploit kits (‘They compromised sites to host exploit kits.’)
  • [T1195.002 ] Supply Chain Compromise: Compromise Software Supply Chain – They trojanized vendor installers for control system software (‘They trojanized vendor installers for control system software.’)
  • [T1016 ] System Network Configuration Discovery – They used batch scripts to enumerate trusts and zones (‘They used batch scripts to enumerate trusts and zones.’)
  • [T1033 ] System Owner/User Discovery – They ran query user on victim hosts (‘They ran query user on victim hosts.’)
  • [T1221 ] Template Injection – They injected SMB URLs into Word attachments to force auth (‘They injected SMB URLs into Word attachments to force auth.’)
  • [T1204.002 ] User Execution: Malicious File – They used spearphishing to get users to open attachments (‘They used spearphishing to get users to open attachments.’)
  • [T1078 ] Valid Accounts – They used compromised valid credentials (‘They used compromised valid credentials.’)
  • [T0817 ] Drive-by Compromise (ICS) – They used watering hole redirects to deliver Backdoor.Oldrea or Trojan.Karagany (‘They used watering hole redirects to deliver Backdoor.Oldrea or Trojan.Karagany.’)
  • [T0862 ] Supply Chain Compromise (ICS) – They trojanized ICS vendor software packages (‘They trojanized ICS vendor software packages.’)

Indicators of Compromise

  • [Malware / Implants] context – Havex (Oldrea/Havex) backdoor used in trojanized ICS installers, Backdoor.Oldrea and Trojan.Karagany delivered via watering holes.
  • [Vulnerabilities (CVEs)] context – CVE-2018-0171 (Cisco Smart Install exploited in Static Tundra), CVE-2011-0611 (Adobe Flash) and CVE-2020-1472 (Netlogon) used to gain access.
  • [File names / Paths] context – Staged and artifact names and locations: .zip archives (compressed exfiltration), %AppData%out (local staging), scr.exe (ScreenUtil used for screen capture), ntdll (Registry Run key name used for persistence).
  • [Tools / Utilities] context – Offensive or admin tools observed: TeamViewer abused for remote control, Mimikatz and SecretsDump for credential dumping, CrackMapExec and PsExec for lateral movement.
  • [Infrastructure artifacts] context – Registered domains and VPSes used for C2 and hosting exploit kits (article notes domains/VPS were acquired for targeting; specific domain names were not listed).
  • [Router/Network implants] context – Router-level persistence examples: SYNful Knock historic implant and stolen device configs from Static Tundra (mass exfiltration of router configurations and modified settings).

Read more: https://socradar.io/dark-web-profile-berserk-bear/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint