{ "id": "d21317e7-227e-4876-8afa-7842a7962f61", "created_at": "2026-04-06T00:14:58.164502Z", "updated_at": "2026-04-10T03:24:52.176036Z", "deleted_at": null, "sha1_hash": "1b201efe777a33d402c6b342b5341fd0795eb28f", "title": "Cyber Berkut - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50937, "plain_text": "Cyber Berkut - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:56:12 UTC\r\n APT group: Cyber Berkut\r\nNames\r\nCyber Berkut (self given)\r\nKiberberkut (self given)\r\nCountry Russia\r\nMotivation Information theft and espionage, Sabotage and destruction\r\nFirst seen 2014\r\nDescription\r\n(Recorded Future) Recorded Future has collected threat intelligence on the hacking\r\nactivities of Cyber Berkut for over a year, aligning with the first month of ground\r\nfighting in Ukraine, at which time the group began coordinated cyber attacks. This\r\narticle presents temporal and technical analysis of these activities, based on open\r\nsource intelligence (OSINT) from the Web. Appropriating the Ukrainian special\r\npolice force name and logo, the group has aligned itself as pro-Russian, anti-Ukrainian, and most recently attacked Western intervention efforts in the Ukrainian\r\nconflict. While the group has taken Ukrainian identities, technical links and\r\ncontextual analysis connect the group to Russia.\r\nThe group began with successful distributed denial of service (DDoS) attacks on\r\nmultiple NATO websites just as separatists in the physical world were beginning to\r\nstorm military buildings. Since their initial attacks the group has continued to take\r\ndown websites, and most recently leaked confidential documents between US\r\nbillionaire George Soros and the Ukrainian prime minister and president which\r\ncontained plans for Western intervention.\r\nObserved\r\nSectors: Defense, Financial, Government.\r\nCountries: Estonia, Germany, Ukraine, USA, NATO.\r\nTools used\r\nOperations performed\r\nMar 2014\r\nNato websites disabled by cyber attack on eve of Crimea vote\r\n\u003chttps://www.ft.com/content/b822d5cc-ace6-11e3-8ba3-\r\n00144feab7de\u003e\r\nJul 2014 'Cyber Berkut' Hackers Target Major Ukrainian Bank\r\n\u003chttps://www.themoscowtimes.com/2014/07/04/cyber-berkut-https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c375b720-a3ec-464a-a81d-891c24f3e325\r\nPage 1 of 2\n\nhackers-target-major-ukrainian-bank-a37033\u003e\nJan 2015\nGerman government websites, including Chancellor Angela Merkel’s\npage, were hacked on Wednesday in an attack claimed by a group\ndemanding Berlin end support for the Ukrainian government, shortly\nbefore their leaders were to meet.\nMay 2015\nCyber Berkut Graduates From DDoS Stunts to Purveyor of Cyber\nAttack Tools\nInformation\nLast change to this card: 19 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c375b720-a3ec-464a-a81d-891c24f3e325\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c375b720-a3ec-464a-a81d-891c24f3e325\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c375b720-a3ec-464a-a81d-891c24f3e325" ], "report_names": [ "showcard.cgi?u=c375b720-a3ec-464a-a81d-891c24f3e325" ], "threat_actors": [ { "id": "afb851c4-b2e8-40e3-ac37-c55d8c0ab3cd", "created_at": "2022-10-25T16:07:23.516432Z", "updated_at": "2026-04-10T02:00:04.637109Z", "deleted_at": null, "main_name": "Cyber Berkut", "aliases": [ "Kiberberkut" ], "source_name": "ETDA:Cyber Berkut", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "268479f9-6666-488e-a41e-14593ed4c2f7", "created_at": "2023-01-06T13:46:38.614508Z", "updated_at": "2026-04-10T02:00:03.039929Z", "deleted_at": null, "main_name": "Cyber Berkut", "aliases": [], "source_name": "MISPGALAXY:Cyber Berkut", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775791492, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b201efe777a33d402c6b342b5341fd0795eb28f.pdf", "text": "https://archive.orkl.eu/1b201efe777a33d402c6b342b5341fd0795eb28f.txt", "img": "https://archive.orkl.eu/1b201efe777a33d402c6b342b5341fd0795eb28f.jpg" } }