The Russian Hackers Playing 'Chekhov's Gun' With US Infrastructure

Over the last half a decade, Russian state-sponsored hackers have triggered blackouts in Ukraine , released history's most destructive computer worm , and stolen and leaked emails from Democratic targets in an effort to help elect Donald Trump . In that same stretch, one particular group of Kremlin-controlled hackers has gained a reputation for a very different habit: walking right up to the edge of cybersabotage—sometimes with hands-on-the-switches access to US critical infrastructure—and stopping just short.
Last week the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency published an advisory warning that a group known as Berserk Bear—or alternately Energetic Bear, TEMP.Isotope, and Dragonfly—had carried out a broad hacking campaign against US state, local, territorial, and tribal government agencies, as well aviation sector targets. The hackers breached the networks of at least two of those victims. The news of those intrusions, which was reported earlier last week by the news outlet Cyberscoop, presents the troubling but unconfirmed possibility that Russia may be laying the groundwork to disrupt the 2020 election with its access to election-adjacent local government IT systems.In the context of Berserk Bear's long history of US intrusions, though, it's much harder to gauge the actual threat it poses. Since as early as 2012, cybersecurity researchers have been shocked to repeatedly find the group's fingerprints deep inside infrastructure around the globe, from electric distribution utilities to nuclear power plants. Yet those researchers also say they've never seen Berserk Bear use that access to cause disruption. The group is a bit like Chekhov's gun, hanging on the wall without being fired through all of Act I—and foreshadowing an ominous endgame at a critical moment for US democracy.
"What makes them unique is the fact that they have been so focused on infrastructure throughout their existence, whether it's mining, oil, and natural gas in different countries or the grid," says Vikram Thakur, a researcher at security firm Symantec who has tracked the group over several distinct hacking campaigns since 2013. And yet Thakur notes that in all that time, he's only seen the hackers carry out what appear to be reconnaissance operations. They gain access and steal data, but despite ample opportunity never actually exploit sensitive systems to attempt to cause a blackout, plant data-destructive malware, or deploy any other sort of cyberattack payload.
Instead, the intruders seem content simply demonstrating that they can gain that troubling level of reach into infrastructure targets again and again. "I see them having operated for seven years and till today, I've come across no evidence of them having done something," Thakur says. "And that makes me lean toward the theory that they're sending a message: I am in your critical infrastructure space, and I can come back if I want to."

A Long Hibernation

In the summer of 2012, Adam Meyers, the vice president of intelligence at security firm CrowdStrike, remembers first coming across the group's sophisticated backdoor malware, known as Havex, in an energy sector target in the Caucasus region. (CrowdStrike initially called the hackers Energetic Bear due to the energy sector targeting, but later changed the name to Berserk Bear when the group switched up its tools and infrastructure.) "It was the coolest thing I'd ever seen at the time," Meyers says. Crowdstrike would soon find Havex in other energy-related networks around the world—years before other Russian hackers would carry out the world's first blackout-inducing cyberattack in 2015 against Ukraine.
In June of 2014 Symantec published a comprehensive report on the group, which it called Dragonfly. In dozens of intrusions against oil and gas and electric utilities in the US and Europe, the hackers had used "watering hole" attacks that compromised websites their targets visited to plant Havex on their machines. They also hid their malware in infected versions of three different software tools commonly used by industrial and energy firms. Symantec's Thakur says in that first wave of attacks the company found that the hackers had stolen detailed industrial control system data from their victims. He never saw evidence, however, that the hackers went so far as to attempt to disrupt any target's operations—though given the scale of the campaign, he admits he can't be sure.