In 2017, Symantec discovered the same hackers carrying out a more targeted set of attacks against US energy sector targets. At the time, the security researchers described it as a “handful” of victims, but Thakur now says they numbered in the dozens, ranging from coal mining operations to electric utilities. In some cases, Symantec found, the hackers had gone so far as to screenshot control panels of circuit breakers, a sign that their reconnaissance efforts had gone deep enough that they could have started “flipping switches” at will—likely enough to cause some sort of disruption if not necessarily a sustained blackout. But again, the hackers appear not to have taken full advantage. “We did not see them turning off the lights anywhere,” he says.
Six months later, in February of 2018, the FBI and DHS would warn that the hacking campaign—which they named Palmetto Fusion—had been carried out by Russian state-sponsored hackers, and also confirmed reports that the hackers’ victims had included at least one nuclear power generation facility. The hackers had gained access only to the utility’s IT network, though, not its far more sensitive industrial control systems.
Today Berserk Bear is widely suspected of working in the service of Russia’s FSB internal intelligence agency, the successor to the Soviet-era KGB. CrowdStrike’s Meyers says the company’s analysts have come to that conclusion with “pretty decent confidence,” due in part to evidence that aside from its foreign infrastructure hacking, Berserk Bear has also periodically targeted domestic Russian entities and individuals, including political dissidents and potential subjects of law enforcement and counterterrorism investigation, all in line with the FSB’s mission.
That’s a contrast with other widely reported state-sponsored Russian hacking groups Fancy Bear and Sandworm, who have been identified as members of Russia’s GRU military intelligence agency. Fancy Bear hackers were indicted in 2018 for breaching the Democratic National Committee and the Clinton campaign in a hack-and-leak operation designed to interfere with the 2016 US presidential election. Six alleged members of Sandworm were indicted by the US…