#ThreatThursday - Berserk Bear

Russia’s Berserk Bear Actively Attacking The Energy Sector

Russian adversaries, known as Berserk Bear, Energetic Bear, TEMP.Isotope, TeamSpy, Dragonfly 2.0, Havex, Crouching Yeti, IRON LIBERTY, TG-4192, Castle, Dymallos, and Koala, that have been active since at least 2005, are playing 'Chekhov's Gun' with US infrastructure according to one of my favorite journalists, Andy Greenberg of WIRED. We have many customers in the energy sector and thought this would be an ideal threat actor to understand and emulate given the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) advisory on October 22, 2020. As usual for #ThreatThursday, we will understand Berserk Bear’s behavior, map to MITRE ATT&CK and share the ATT&CK Navigator JSON, create and share an adversary emulation plan in the largest, public adversary behavior repository, and discuss how to defend against this energy sector adversary. We hope you enjoy!  

Berserk Bear: Cyber Threat Intelligence

On October 22, 2020, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released Alert AA20-296A about Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. It stated that since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets.

Given SCYTHE has many energy sector customers, we think this would be a great example of an adversary to analyze, consume Cyber Threat Intelligence, map to MITRE ATT&CK, and create an adversary emulation plan.

These are the first sources we consumed upon hearing about Berserk Bear:

Initial Access

According to Sean Lyngass, Berserk Bear is less conspicuous. They have used “waterholing,” or infecting websites and then picking off high-value login credentials, to compromise the IT networks of critical infrastructure companies in Europe and North America. The FBI and CSIS alert focused focuses on how Berserk Bear gains initial access with very well known vulnerabilities:

  • Drive-By Compromise [T1189]
  • Exploiting Public Facing Applications [T1190]
  • External Remote Services [T1133]
  • Credential Access via Brute Force [T1110]
  • Lateral Movement [TA0008], Persistence [TA0003], and Privilege Escalation [TA0004]:

Valid Accounts [T1078]

Objective

While the focus so far has been on Berserk Bear obtaining user and administrator credentials to establish initial access. This is to enable lateral movement once inside the network and locate high value assets in order to exfiltrate data. However, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.

From Andy Greenberg’s article "What makes them unique is the fact that they have been so focused on infrastructure throughout their existence, whether it's mining, oil, and natural gas in different countries or the grid," says Vikram Thakur, a researcher at security firm Symantec who has tracked the group over several distinct hacking campaigns since 2013.

MITRE ATT&CK Mapping

Given the various threat actor names given to this adversary, there are multiple sources already mapped to MITRE ATT&CK:

Berserk Bear Adversary Emulation Plan

After consuming the Cyber Threat Intelligence reports and mapping to MITRE ATT&CK, we organized the TTPs by Tactic and created a threat profile for Berserk Bear:

 Tactic  Description
Objective   Hold access to critical infrastructure for later use. However, we have yet to see them pull the trigger.
 Command and Control  T1071 - Application Layer Protocol
T1573 - Encrypted Channel
 Collection T1560 - Archive Collected Data
T1074.001 - Local Data Staging
T1005 - Data from Local System
T1114.002 - Remote Email Collection
T1056.001 - Keylogging
T1113 - Screen Capture
 Execution T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1059.006 - Python
T1053.005 - Scheduled Task
T1204.001 - Malicious Link
T1204.002 - Malicious File
 Defense Evasion T1562.004 - Disable or Modify System Firewall
T1070.001 - Clear Windows Event Logs
T1070.004 - File Deletion
T1036 - Masquerading
T1112 - Modify Registry
T1027 - Obfuscated Files or Information
T1027.002 - Software Packing
T1055 - Process Injection
T1055.003 - Thread Execution Hijacking
T1221 - Template Injection
T1078 - Valid Accounts
T1497.001 - System Checks
 Credential Access T1110.002 - Password Cracking
T1555.003 - Credentials from Web Browsers
T1187 - Forced Authentication
T1003 - OS Credential Dumping
T1003.002 - Security Account Manager
T1003.003 - NTDS
T1003.004 - LSA Secrets
 Persistence T1098 - Account Manipulation
T1547.001 - Registry Run Keys / Startup Folder
T1547.009 - Shortcut Modification
T1136.001 - Local Account
T1133 - External Remote Services
T1505.003 - Web Shell
 Discovery T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1033 - System Owner/User Discovery
T1049 - System Network Connections Discovery
T1057 - Process Discovery
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1135 - Network Share Discovery


Defend against Berserk Bear

The FBI and CSIS recommendations focus on a number of areas that our users most likely already know such as keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. However they do dive a little deeper into other areas to avoid initial access:

  • Follow Microsoft’s guidance on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.
  • Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on SMB Security Best Practices for more information.
  • Implement the prevention, detection, and mitigation strategies outlined in CISA Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance and National Security Agency Cybersecurity Information Sheet U/OO/134094-20 – Detect and Prevent Web Shells Malware.
  • Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.
  • Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.
  • Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and WINDOWS folders. All other locations should be disallowed unless an exception is granted.
  • Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.

Conclusion

While Berserk Bear has yet to be seen doing something destructive, defenders can still leverage cyber threat intelligence to implement detections against its behaviors. As always, we ingested the Cyber Threat Intelligence, mapped it to MITRE ATT&CK, and created an adversary emulation plan based off of the threat’s behaviors. As more research is done on this threat, we’ll be able to further emulate its behaviors and look for key unique techniques it does. We hope you enjoyed this week’s Threat Thursday and we are extending a big thanks to the awesome team at Cyborg Security who provided their video on their side of detections!

#ThreatThursday Library

Learn more about SCYTHE’s weekly Threat Thursday research reports by going to the #ThreatThursday page in our Unicorn Library, watching the videos on SCYTHE’s YouTube Channel, or follow #ThreatThursday and our CTO, Jorge Orchilles (@jorgeorchilles) on Twitter.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io

About Cyborg Security

Cyborg Security is a threat hunting pioneer. Reimagining threat hunting in a first-of-its-kind platform, Cyborg Security's HUNTER platform provides tailored threat hunt and detection packages, and a threat feed focused on operationalized threat data, to augment analysts into hunters and evolve traditional security operations into skilled hunt teams. To learn more, visit cyborgsecurity.com, or follow us on Twitter and LinkedIn.