In the past five (5) years there has been a wide-ranging espionage operation in which more than 150 companies were targeted to be hacked in Germany alone: especially in the area of critical infrastructure companies. Specifically, the hackers sought out electricity and water supply systems. After years of investigation, the Germany’s State Criminal Police Office of Baden-Württemberg succeeded in identifying one of the suspected perpetrators: Pawel A.
This state backed hacker is said to belong to a hacker group that IT security companies call “Berserk Bear” or “Dragonfly.” The US Department of Justice (DOJ) currently assumes that these hackers work for the Russian secret service FSB, more precisely for the “Center 16” department, which is based in Moscow. According to an indictment by DOJ, these hackers intended to enable the Russian government to “interrupt and damage important power generation facilities if desired.”
A German non-public arrest warrant: Pawel A. is held responsible for hacking the network of Netcom BW in the summer of 2017. In September 2021, more than four years later, the German Attorney General in Karlsruhe obtained an arrest warrant. To this day it is not officially public.
Victim company Netcom BW belongs to the EnBW power group and provides the fiber optic expansion as well as routing important internal data for EnBW about the power supply via a specially secured network. The hackers managed to access the Internet traffic via a vulnerability in the routers from Netcom BW. 
EnBW stated that the hackers had previously attacked an external service provider, “Its infrastructure was compromised as a result.” The hackers then gained access to the management system of Netcom BW’s public telecommunications network via a maintenance access. “The EnBW electricity and gas network control was never affected, as this is managed in a separate, specially secured network,” said the company. Since the attack, Netcom BW has been regularly checked and certified by independent bodies, and EnBW has “expanded its cyber defense capabilities.” EnBW is encouraged that the investigations were successful: “If there should be a conviction, we would of course be very interested in finding out something about the motivation and goals of the attacker.”
E.On also in hackers target: these hackers were also targeting the electricity company E.On. Of interest, they had prepared a 35-page document that appeared to be an internal document from a consulting firm. The document is titled: “Assessment of the long-term investment needs of the decentralized E.On power grids.” As soon as a user opens the document, an unnoticed attempt is made to send their login data to a server that the hackers control. The bad actors allegedly used this guide to log into other services that this user uses, for example the e-mail inbox. IT security experts explain this as ‘spear phishing.’ When asked, E.On declined to comment. The consulting firm confirms that there was “an attack on a holding company” in the summer of 2017.
Since the outbreak of the Russian war against Ukraine, German security authorities have been warning of cyber-attacks on its power grid. At a conference at the end of June 2022, the Vice President of the Federal Intelligence Service, said: “We must be aware that Russia is in our networks.” Such access to the network would be procured at an early stage. “Let’s assume that’s prepared,” he said. “Berserk Bear” is considered among experts as the Russian hacking group whose tasking is to target electric grids.
As many know - In December 2015, hackers carried out an extensive attack on the power supply in Ukraine. The IT systems of several substations were infected with malware called “Black Energy” and shut down. More than 200,000 people were affected, and the power went out for up to six hours. The group “Sandworm” was identified as responsible for the attack. According to European security authorities, Sandworm was associated with the Russian secret service, or GRU.
Mandiant has been observing the “Berserk Bear” group for years: “One of our biggest concerns is that the hackers will be able to permanently establish themselves in the compromised networks and later gain this access if the time has come to use it for destructive attacks.” Analysts emphasizes that there is currently no evidence of this. She points out that the hackers are currently primarily spying on office networks and not industrial plants. This would require completely new tools and in-depth expertise.
Activities monitored by the German Office for the Protection of the Constitution: It is unclear how many corporate networks the hackers from “Berserk Bear” were able to penetrate. Only companies that belong to the critical infrastructures have to report such incidents. This authority managed to monitor at least part of the incoming and outgoing Internet traffic of the hackers. Because one of the servers that the hackers utilized is in Germany.
In addition to phishing attacks, the hackers from “Berserk Bear” also hacked into strategically relevant websites and cleverly rebuilt them to steal confidential information, especially login data. This affected both the website of a company that designs websites for energy suppliers and the website of a company that offers software in this area. Calculations by this group indicates that many website visitors of these specialized companies (like electric companies) are likely to be active in the area of critical infrastructures and therefore attractive targets for espionage. Both companies were apparently unaware that their sites had been hacked. The German Attorney General in this matter still has not commented on the investigation. The Russian embassy is also not talking