German prosecutors issue warrant for Russian government hacker over energy sector attacks

Prosecutors in Germany have issued a warrant for the arrest of Pawel A, a Russian national they accuse of being part of the Berserk Bear hacking group within Russia’s Federal Security Service (FSB), according to German public broadcasters BR and WDR.

The prosecutors accused Pawel of engineering a 2017 attack on Netcom BW – which manages the routers for the EnBW energy company – and another attack on electricity company E.ON. Neither company responded to requests for comment. 

The warrant was not made public but BR and WDR reported that the hackers used a vulnerability in Netcom BW’s routers to access internet traffic and eventually break into the management system of the company's public telecommunications network.

Netcom BW told the news outlet that the electricity and gas networks were never breached because they are separate from the telecommunications network.

A 36-year-old by the name of Pavel Aleksandrovich Akulov was one of four Russian nationals indicted by the Justice Department last year for allegedly leading a widespread hacking campaign against energy companies around the world.

It is unclear if he is the same as Pawel A, but he was also identified in the U.S. indictment as a member of the Berserk Bear group, working in "Center 16" within the FSB. German prosecutors did not respond to requests for confirmation.

The group has specifically targeted an array of industrial technology systems. Between 2012 and 2017, Akulov and two others are accused of launching supply chain attacks, which breach adjacent entities as a way to reach their main targets, that gave the Russian government “surreptitious, unauthorized and persistent access” to the networks of several energy companies. 

From 2012 to 2014, they compromised several industrial control system (ICS) manufacturers and software providers before hiding the “Havex” malware inside networks. They used a range of attacks to install malware on more than 17,000 devices in the U.S. and other countries. 

Between 2014 and 2017, the DOJ said the group went after “specific energy sector entities and individuals and engineers who worked with [industrial] systems.” These attacks targeted more than 3,300 users at some 500 U.S. and international companies and entities, as well as government agencies like the Nuclear Regulatory Commission. 

The group was successful in compromising the business systems of the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas, through spearphishing. They also found success using "watering hole" attacks, which captured the login credentials of energy sector engineers through compromised websites. 

Overall, their campaigns are known to have targeted people in more than 136 countries. In the U.S., Akulov is facing charges related to computer fraud and abuse, wire fraud, aggravated identity theft and causing damage to the property of an energy facility.

Attacks on German energy companies have increased significantly over the last year. German wind farm operator Deutsche Windtechnik was crippled in April by a cyberattack while German wind turbine maker Nordex was forced to shut down its IT systems across multiple locations and business units after it was hit with a cyberattack on March 31.

The Nordex incident followed a cyberattack on satellite communications company Viasat that caused the malfunction of 5,800 Enercon wind turbines in Germany.

Oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls, suffered a cyberattack that crippled their loading and unloading systems in February. The attacks forced Shell to reroute oil supplies to other depots.

An internal report from Germany's Federal Office for Information Security said the BlackCat ransomware group was behind the cyberattack on the oil companies. 

Carsten Maywirth, director of cybercrime at Germany’s Federal Criminal Police Office, told a law enforcement conference in New York last week that the invasion of Ukraine was linked to the increase in attacks on German firms.  

The conflict kicked off what he called a “cyberwar,” where ransomware groups and criminal organizations chose sides in the conflict and launched attacks on behalf of Russia against any country that helped Ukraine.

“The result is that we have more perpetrators, more targets and more vulnerabilities. This has created a party for the criminals,” he said. “But in my view, this is the new normal.”