Berserk Bear, overlapping with Microsoft’s actor BROMINE, surely needs no introduction to Cyberwarcon. With campaigns dating back to as early as 2010 and an established history of targeting critical infrastructure, using a wide array of methods, they remain an interesting group to follow. In 2022, the US Department of Justice unsealed an indictment attributing the activities of the group to Military Unit 71330 (“Center 16”), which was then complemented by a release from multiple national cyber authorities to include UK’s NCSC. The release provided insights into additional intrusions and activities of interest but naturally begged follow-on questions: What else is there? What are their recent activities?
This lightning talk will sprint through recent activities that MSTIC has attributed to BROMINE, some of which has not been shared publicly, with a goal of providing a more complete picture. We will start by discussing opposition/dissident targeting before moving through some “routine” activities and one-off campaigns, ranging from compromise of ICS related organizations to opportunistic exploitation of datacenters. We will also provide a quick glimpse into subtle activities possibly related to the war in Ukraine, which will almost certainly leave people continuing to wonder what else they are up to.