In recent years, FSB Center 16 (Military Unit 71330) has been publicly identified as the source of two Russian threat actors in advisories produced by multiple Western governments. VENOMOUS BEAR (Turla) is well-known and has been the subject of many public reports due to their history and novel operational implementations. They largely focus on compromising foreign government targets, likely facilitating the collection of sensitive documents and communication by breaking encryption schemes and intercepting plain-text data at rest.
The more elusive of these groups, BERSERK BEAR, is most commonly associated with persistent reconnaissance of networks associated with critical infrastructure across the energy and utility sectors. However, a decade of tracking campaigns conducted through their unique operational infrastructure has revealed additional motivations more tightly aligned with FSB’s mandate as a domestic security service.
CYBERWARCON 2022 discussed BERSERK BEAR campaigns abusing Microsoft services to target Russian citizens, dissidents, journalists, and foreign diplomats deployed to Russia. Through previously unpublicized case studies of BERSERK BEAR activities during the 2010s, this talk will further illuminate the actor’s efforts to surveil these communities while also providing tactical intelligence collection support to the Russian government. We will also reveal how an investigation of BERSERK BEAR-associated malware geolocated testing activity to a specific district in Moscow—indicating likely connections to the wider community supporting the Russian intelligence services—and how technical overlaps with VENOMOUS BEAR provide a wider picture of how complementary teams within Center 16 operate to fulfill FSB intelligence collection requirements.