Cyber Incident Victim: City of Austin
Date:
Oct 2020
Location:
United States of America
Summary
Russian state-sponsored hackers, likely affiliated with the FSB and identified as Berserk Bear, infiltrated the City of Austin's network for months, leveraging it to stage additional attacks. The compromise potentially exposed sensitive data related to policing, governance, elections, and critical infrastructure systems, including water and energy networks. Malware samples communicating with the city's IP address indicated ongoing network access, with recent activity suggesting persistent compromise. The intrusion aligned with broader targeting of U.S. entities—including airports, energy firms, and government agencies—by this group, which specializes in stealthy, long-term espionage. Federal agencies had previously warned about Berserk Bear's campaigns against critical infrastructure, though the Austin breach was distinct from separate Russian operations like the SolarWinds supply-chain attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Russian state-sponsored hackers, believed to be affiliated with the group Berserk Bear (also identified as Energetic Bear, Dragonfly, TEMP.Isotope, and BROMINE), breached the City of Austin’s network by mid-October 2020, with evidence of ongoing compromise through at least December 15, 2020. The intrusion was identified through technical indicators in documents from Microsoft’s Threat Intelligence Center (MSTIC) and malware activity logs on VirusTotal, which cataloged 97 malware samples communicating with an Austin government IP address. This IP address appeared on MSTIC’s November mid-month list of indicators of compromise (IOCs) distributed to public-sector Microsoft customers, though it was removed in a subsequent alert the following day. The attackers used Austin’s network as infrastructure to stage additional attacks, leveraging compromised systems to send commands to malware samples observed in the United States, United Kingdom, and Turkey. The breach exposed sensitive city operations, including potential access to policing, governance, elections, and critical infrastructure systems such as water, energy, and airports.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI had previously warned on October 22, 2020, that Berserk Bear—suspected to be a unit of Russia’s Federal Security Service (FSB)—targeted airports, energy firms, and state/local/tribal governments, confirming data exfiltration from at least two servers. Austin’s compromise aligned with this broader campaign, though the city declined detailed comment, citing ongoing law enforcement investigations. VirusTotal submissions showed sustained malicious activity, with 88 of the 97 malware samples tied to Austin’s IP submitted since January 2020 and six samples active in November and December. While Berserk Bear historically focused on espionage rather than sabotage, cybersecurity experts noted the group possessed capabilities to manipulate critical infrastructure, such as disrupting power grids or water systems. The incident occurred amid heightened tensions over Russian cyber operations, including separate breaches of federal agencies by Cozy Bear (APT29), though no evidence linked the Austin intrusion to the SolarWinds supply-chain attack. Microsoft’s alert highlighted Berserk Bear’s additional targeting of telecommunications, aerospace, and defense sectors internationally.