Dark Web Profile: Berserk Bear

Berserk Bear is a Russian state-sponsored cyber espionage group linked to the FSB. They have been active since at least 2010 under many names (Dragonfly, Energetic Bear, Havex, Crouching Yeti, Koala, TeamSpy, etc.) and specialize in penetrating critical infrastructure.

Who Is Berserk Bear?

Berserk Bear’s earliest known activity traces back to the TeamSpy campaign, uncovered in 2013 by CrySyS Lab after a warning from the Hungarian National Security Authority. Investigators found command-and-control servers and malware samples that had been in use since 2010.

The attackers misused the TeamViewer remote access tool to gain control of infected machines, allowing them to collect data from both everyday users and high-value targets. Victims included industrial firms, research bodies, and diplomatic organizations, showing that the operation aimed at long-term espionage rather than quick profit. What started as TeamSpy was later recognized as the foundation of the group now tracked as Berserk Bear.

Threat actor card for Berserk Bear

Berserk Bear is an FSB-linked hacking unit and should not be confused with GRU teams like Sandworm (Unit 74455), which specialize in disruptive operations. Instead, Berserk Bear focuses on espionage aligned with the FSB’s broader cyber mission.

The FSB reportedly runs two main centers: the 16th Center (which handles signals intelligence and foreign cyber targeting) and the 18th Center (which oversees domestic security but also operates abroad). Berserk Bear, part of Center 16, is tasked with penetrating critical infrastructure, especially in the energy sector, through reconnaissance and surveillance. This structure and mission are detailed in the Russian Cyber Units report by the Congressional Research Service.

Over more than a decade of activity, Berserk Bear has adapted its tactics and focus while keeping a consistent mission, gaining deep, long-term access to critical systems for intelligence collection.

Their earliest operation, TeamSpy (2010-2013), misused TeamViewer for remote surveillance of industrial, diplomatic, and research targets. Later campaigns like Dragonfly (2013-2014) and Dragonfly 2.0 (2015-2017) expanded into U.S. and European energy systems, while 2020 onward saw intrusions into state, local, and aviation networks. The U.S. DOJ’s 2022 indictment formally tied the group to the FSB. Most recently, in 2025, Cisco Talos and the FBI linked Berserk Bear to the Static Tundra campaign, exploiting old Cisco router vulnerabilities to infiltrate telecom and education networks.

Key milestones from Berserk Bear’s 2010 to 2025

What Are Berserk Bear’s Targets?

Berserk Bear’s primary focus lies in penetrating critical infrastructure, particularly in the Energy and Utility sectors. They often seek access to industrial control systems (ICS) and operational technology networks to map systems, steal design documents, and collect credentials. Over time, their reach has expanded: they also target government agencies, municipal networks, aviation systems, telecommunications infrastructure, and academic and research institutions.

For instance, during the Dragonfly / Havex campaigns they compromised energy and pipeline companies across Europe and North America. More recently, they infiltrated U.S. state, local, tribal, and territorial (SLTT) networks, including those connected to aviation systems. In 2025 they exploited a known Cisco router vulnerability (CVE-2018-0171) to gain long-term access to routers and switches across telecom, education, and infrastructure networks.

SOCRadar-Cyber Threat Intelligence -> Vulnerability Intelligence

How Does Berserk Bear Operate?

Berserk Bear runs patient, multi-stage espionage campaigns. The group moves in small steps. It focuses on staying hidden and collecting intelligence over long periods.

Initial Access

The group gains entry by phishing targeted individuals, by compromising websites engineers trust (watering-hole attacks), and by trojanizing legitimate vendor software in supply-chain attacks.

In early campaigns they used the Havex backdoor embedded in ICS vendor installers and used drive-by compromises of industry sites to deliver malware. Later they also exploited public-facing application flaws and weak remote services to get inside.

Execution

Once a user or host is compromised, Berserk Bear runs remote-access tools and custom RATs. They have abused legitimate remote admin software (TeamViewer) and deployed Havex/Oldrea and other tailored implants. They also run scripts and common system interpreters (PowerShell, Windows command shell, Python) to execute tasks without dropping noisy binaries. This lets them act quickly while lowering detection risk.

Persistence

The group establishes long-term access using multiple methods. They create or manipulate accounts and registry autorun entries. They install backdoors on hosts. In later campaigns they gained persistence on network devices by exploiting Cisco Smart Install (CVE-2018-0171) and by leveraging router implants (historic examples include SYNful Knock). Persisting on routers and switches gives them a stealthy foothold that survives OS reboots and endpoint cleans.

Privilege Escalation

Berserk Bear tries to capture NTLM hashes, force authentication to attacker servers, and dump local password stores. The group then reuses stolen credentials to access domain resources, elevate privileges, and reach OT systems. This credential-focused approach is a constant across their campaigns.

Discovery (Network and ICS/OT)

After they hold a foothold, they map the environment. They run network and file discovery scripts, enumerate domain accounts, and scan for vulnerable services. In energy-sector intrusions they ran ICS-specific probes, looking for OPC servers, PLCs, and other control devices, to map plant topology and identify control points. They also harvest router and switch configuration files to learn network paths and control points.

Lateral Movement and Pivoting

With credentials and network maps in hand, Berserk Bear moves laterally. They use remote services (RDP, PsExec) and pass-the-hash techniques to hop from corporate IT into engineering or OT segments. Compromised network devices often act as pivot points, letting the actors reach systems that standard endpoint tools can’t touch.

Collection and Exfiltration

The group collects engineering docs, system configs, email, and credentials. They stage data into archives and move it out via common protocols or covert channels. They may compress files before exfiltration and then use HTTP(S) or other blended channels to hide data transfers. Their goal is intelligence, not immediate financial gain.

C2 and Defense Evasion

Berserk Bear uses Command and Control (C2) channels that blend into normal traffic and hide in legitimate protocols. They reuse legitimate admin tools during operations to avoid dropping suspicious files. They also tamper with logs, clear events, and alter access controls to cover their tracks. Router-level compromise amplifies these evasion techniques by letting them modify network logging and ACLs at the infrastructure layer.

Berserk Bear’s attack chain summary

Why do routers and network gear matter to them?

Network devices hold an outsized value. They store configuration files, routing rules, device credentials, and topology. They also proxy traffic and connect IT to OT zones. By owning routers and switches, Berserk Bear gains broad visibility and durable persistence. Recent Static Tundra activity shows the group stealing device configs en masse and modifying settings to ensure continued stealthy access.

How to Defend Against Berserk Bear?

Berserk Bear relies on phishing, supply-chain tampering, and exploiting network gear. Defense starts with tightening entry points and watching for quiet, long-term intrusions.

Limit initial access

Use multi-factor authentication on email and remote access. Filter attachments and links in mail. Keep web servers patched and restrict exposure of admin panels.

Harden endpoints

Patch systems fast. Use necessary solutions like EDR to spot unusual scripting with PowerShell or cmd. Remove unnecessary admin rights and use allow-listing on sensitive hosts.

Protect credentials

Use MFA everywhere. Rotate and manage admin passwords through LAPS or similar tools. Watch for credential-dumping tools and suspicious NTLM or SMB activity.

Secure network devices

Patch and harden routers and switches. Disable unused services like Smart Install or SNMPv1/2. Isolate management interfaces and log configuration changes.

Plan for recovery

Back up configs and systems. Keep a tested incident-response plan ready to reset credentials and rebuild devices if needed.

How Can SOCRadar Help?

SOCRadar Supply Chain Intelligence (SCI) 2.0 gives full visibility into third-party risks that Berserk Bear often exploits. It unifies data from ASM, DRP, and CTI modules to track exposed vendors, vulnerable partners, and compromised supplier assets. With 125+ data-driven checks, it identifies weak links before attackers reach internal systems.

Beyond the supply chain, SOCRadar also strengthens overall defense by monitoring phishing domains, leaked credentials, and exploited vulnerabilities, helping organizations detect, prioritize, and respond to APT campaigns faster.

SOCRadar Supply Chain Intelligence (SCI) 2.0

MITRE ATT&CK TTPs of Berserk Bear

Source