Full Report
The U.S. Department of State is offering a reward of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government. [...]
Analysis Summary
# Threat Actor: FSB Officers / Berserk Bear / Blue Kraken / Crouching Yeti / Dragonfly / Koala Team
## Attribution & Identity
The threat actor is identified as three Russian Federal Security Service (FSB) officers: Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov. They are associated with the FSB's **Center 16 (Military Unit 71330)**.
Known Aliases/Associated Groups:
* Berserk Bear
* Blue Kraken
* Crouching Yeti
* Dragonfly
* Koala Team
## Activity Summary
The individuals are responsible for malicious cyber activities against U.S. critical infrastructure on behalf of the Russian government.
* They were involved in a campaign between 2012 and 2017 targeting U.S. government agencies and energy companies.
* More recently (within the past year, as of Aug 2025), they exploited a Cisco vulnerability (CVE-2018-0171) to breach critical infrastructure companies.
* They are also known for attacking U.S. State, Local, Territorial, and Tribal (SLTT) government organizations and aviation entities over the last decade.
## Tactics, Techniques & Procedures
- Exploitation of **CVE-2018-0171** in end-of-life Cisco networking devices.
- Remotely executing arbitrary code on unpatched devices.
- **MITRE ATT&CK IDs:** Not explicitly mentioned, but remote code execution and vulnerability exploitation are key components.
## Targeting
- **Sectors:** U.S. critical infrastructure, Nuclear energy (e.g., Nuclear Regulatory Commission, Wolf Creek Nuclear Operating Corporation), Telecommunications, Higher Education, Manufacturing, U.S. SLTT government organizations, and Aviation entities.
- **Geography:** United States (primary focus on U.S. critical infrastructure). The activities also targeted over 500 energy companies across 135 other countries.
- **Victims:** Nuclear Regulatory Commission, Wolf Creek Nuclear Operating Corporation, telecommunications organizations, higher education organizations, and manufacturing organizations across North America, Europe, Asia, and Africa.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but the description focuses on vulnerability exploitation. (Note: The article briefly mentions another reward for hackers tied to RedLine malware, which is a *separate* operation).
- **Infrastructure (C2, domains, IPs):** Not specified in detail, though operations are conducted on behalf of the Russian government.
## Implications
These operatives represent a persistent, state-sponsored threat directly targeting high-value U.S. critical infrastructure with the intent to conduct espionage or disruption. Their persistent exploitation of known, end-of-life vulnerabilities indicates a calculated, long-term approach focused on accessing essential services for Russian state objectives.
## Mitigations
- Immediately patch networking devices, particularly end-of-life Cisco equipment, against **CVE-2018-0171**.
- Implement strong network segregation and defense-in-depth strategies around critical infrastructure assets to limit the impact of remote code execution.
- Monitor and investigate anomalies related to historical targets (Nuclear, Energy, SLTT, Aviation).