Berserk Bear

Berserk Bear (aka Crouching Yeti, Dragonfly, Dragonfly 2.0, DYMALLOY, Energetic Bear, Havex, IRON LIBERTY, Koala, or TeamSpy)[2][3][4] is a Russian cyber espionage group, sometimes known as an advanced persistent threat.[1] According to the United States, the group is composed of "FSB hackers," either those directly employed by the FSB or Russian civilian, criminal hackers coerced into contracting as FSB hackers while still freelancing or moonlighting as criminal hackers.[5] Four accused Berserk Bear participants, three FSB staff and one civilian, have been indicted in the United States and are regarded by the United States Department of Justice as fugitives.

Berserk Bear
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Official language
Parent organization
Formerly called
Crouching Yeti
Dragonfly 2.0
Energetic Bear


Berserk Bear specializes in compromising utilities infrastructure, especially that belonging to companies responsible for water or energy distribution.[1][6] It has performed these activities in at least Germany and the U.S.[6] These operations are targeted towards surveillance and technical reconnaissance.[5]

Berserk Bear has also targeted many state, local, and tribal government and aviation networks in the U.S., and as of October 1, 2020, had exfiltrated data from at least two victim servers.[3] In particular, Berserk Bear is believed to have infiltrated the computer network of the city of Austin, Texas, during 2020.[7][8][5]

The group is capable of producing its own advanced malware, although it sometimes seeks to mimic other hacking groups and conceal its activities.[5]

Indictments unsealed 2022Edit

In 2021 federal grand juries in the United States indicted three personnel of the Russian Federal Security Service (FSB) and a civilian from the Central Research Institute of Chemistry and Mechanics (CNIIHM). These indictments were kept under seal until March 2022 when the United States publicly named the defendants and treated them as fugitives.

Evgeny GladkikhEdit

Evgeny Gladkikh (Russian: Евгений Гладких): is accused of targeting network-connected safety equipment with the intent to gain the capability to sabotage them. He was indicted in the U.S. District Court for the District of Columbia [9]

"Center 16" defendantsEdit

The indictment in the case United States v. Akulov, et al. is focused on members of a team within "Center 16" (Russian: 16-й Центр)[a] an FSB component also known as Military Unit 71330 (Russian: Bойсковая часть B/Ч 71330).

The British Foreign Office states that the full name of Center 16 is "Radio-Electronic Intelligence by Means of Communication" (TsRRSS); Russian: Центр радиоэлектронной разведки на средствах связи (ЦPPCC)[10]

The U.S. v. Akulov case was filed within the United States District Court for the District of Kansas.[11] The named defendants are:

  • Pavel Aleksandrovich Akulov (Russian: Павел Александрович Акулов, b. 2 July 1985) is described as a military officer assigned to Military Unit 71330, who held the rank of lieutenant as of 2013. Akulov is described as conducting surveillance and reconnaissance supporting the targeting of the Wolf Creek Generating Station computer network.[11]
  • Mikhail Mikhailovich Gavrilov (Russian: Михаил Михайлович Гаврилов, b. 7 November 1979) is described as Russian military intelligence officer assigned to Military Unit 71330. He has held the rank of captain and major. He is described as conducting computer intrusions into the computer networks of Wolf Creek and another unnamed entity ("Company 7") used to access energy, utility and critical infrastructure webmail login webpages.[11]
  • Marat Valeryevich Tyukov (Russian: Марат Валерьевич Тюков, b. 17 November 1982) is described as a Russian military intelligence officer assigned to Military Unit 71330. He is alleged to have gained unauthorized access to a server owned by an unnamed entity ("Company One") that was used for command and control infrastructure. He is also accused of tampering with updates to industrial control software which affected power and energy companies globally.[11]

FBI and Department of State designationEdit

The U.S. State Department Rewards for Justice Program is offering $10 million for tips leading that lead to the apprehension of the four named "Berserk Bear" suspects.

See alsoEdit


  1. ^ "Center 16" is the translation contained within the indictments. Elsewhere, the Estonian Foreign Intelligence Service refers to the unit as "16th Centre." see "International Security and Estonia 2019" (PDF). Estonian Foreign Intelligence Service. pp. 56–60. Archived (PDF) from the original on 9 March 2019. Retrieved 6 April 2022.
  1. ^ a b c "The Russian Hackers Playing 'Chekhov's Gun' With US Infrastructure" – via
  2. ^ "Dragonfly 2.0, IRON LIBERTY, DYMALLOY, Berserk Bear, Group G0074 | MITRE ATT&CK®".
  3. ^ a b "Russian state hackers stole data from US government networks". BleepingComputer.
  4. ^ Goodin, Dan (December 7, 2020). "NSA says Russian state hackers are using a VMware flaw to ransack networks". Ars Technica.
  5. ^ a b c d Bowen, Andrew S. (January 4, 2021). Russian Cyber Units (Report). Congressional Research Service. p. 2. Retrieved July 25, 2021.
  6. ^ a b "German intelligence agencies warn of Russian hacking threats to critical infrastructure". CyberScoop. May 26, 2020.
  7. ^ Hvistendahl, Mara; Lee, Micah; Smith, Jordan (December 17, 2020). "Russian Hackers Have Been Inside Austin City Network for Months". The Intercept.
  8. ^ "Austin officials quiet on reports that city network hacked".
  9. ^ "Indictment" (PDF), United States v. Gladkikh (Court Filing), D.D.C., vol. No. 1:21-cr-00442, no. Docket 1, 26 Aug 2021, retrieved 5 April 2022 – via Recap (PACER current docket view )
  10. ^ "Russia's FSB malign activity: factsheet". Foreign, Commonwealth & Development Office. 5 April 2022. Retrieved 6 April 2022.{{cite web}}: CS1 maint: url-status (link)
  11. ^ a b c d "Indictment" (PDF), United States v. Akulov, et al. (Court Filing), D.K.S., vol. No. 1:21-cr-20047, no. Docket 3, 26 Aug 2021, retrieved 5 April 2022 – via Recap (PACER current docket view )