We are slowly easing through the languorous days of fall, reluctantly trading daylight for darkness, feeling the crunch of leaves, inhaling the smoke-tinged air that marks the fullness of the season. Soon it will be All Hallows Eve, a night when witches ride high across cloud-strewn skies and spirits restlessly roam the earth below. They will be joined by millions of children less concerned about the spirits than the potential bounty that awaits behind closed doors. Tiny princesses will race alongside pirates and ballerinas, each eager to ring a doorbell and shout in unison “trick or treat!” Older adolescents and young adults will gorge on horror shows, feasting on the fright inspired by vampires, werewolves, goblins, and countless maladjusted individuals who act out in truly horrific fashion. Those who’ve been around for a while may think of frightening figures such as Nosferatu, Frankenstein’s monster, the Mummy, and more recently Candyman, Pennywise, Leatherface, and Berserk Bear.

Astute readers may have tripped over Berserk Bear, but Berserk Bear may be very scary indeed. The world was introduced to Berserk Bear in CrowdStrike’s 2014 Global Threat Intel Report. “Proactive analysis during 2014 revealed another Russian actor that has not encountered public exposure, yet appears to have been tasked by Russian state interests. BERSERK BEAR has conducted operations from 2004 through to the present day, primarily aimed at collecting intelligence but has also provided capability in support of offensive operations in parallel to the Russia/Georgia conflict in August 2008.”

Since then, the legend of Berserk Bear has grown. In 2016 it was reported to be attacking energy interests in the Middle East. In September of 2017, Symantec said Berserk Bear had penetrated firms in the U.S., Turkey, and Switzerland, and had the ability to cause mass power outages, shutdown electrical grids, and disrupt utilities. That report was confirmed last Friday, when the Department of Homeland Security (DHS) and the FBI issued an alert warning critical infrastructure companies of “advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”

What we know at this point is that the attacks have been successful, and critical parts of the infrastructure have been breached. DHS has reported the attack is ongoing. There are no reports of damage to this point. We are left to speculate as to motivation, and what might happen next.  Like many scary stories, this one may have a sequel. Stay tuned.

By Tom Davis, SDI Cyber Risk Practice

October 24, 2017