← threatfilter.dev / all groups / Ember Bear
Ember Bear
Also known as: UNC2589 · Bleeding Bear · DEV-0586 · Cadet Blizzard · Frozenvista · UAC-0056
Overview
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas. Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022. There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.
Regions
Ukraine
Capabilities
- Supply-chain compromise — ATT&CK T1195
- Destructive / data-wiping operations — ATT&CK T1561.002; software: WhisperGate
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
- Custom malware/implant development — ATT&CK: 4 attributed custom malware families
TTPs — 47 techniques across 14 tactics
Reconnaissance
-
T1595.001Scanning IP Blocks -
T1595.002Vulnerability Scanning
Resource Development
-
T1583Acquire Infrastructure -
T1583.003Virtual Private Server -
T1585Establish Accounts -
T1588.001Malware -
T1588.005Exploits
Initial Access
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1203Exploitation for Client Execution
Persistence
-
T1133External Remote Services -
T1505.003Web Shell
Stealth
-
T1036Masquerading -
T1036.005Match Legitimate Resource Name or Location -
T1070.004File Deletion -
T1078.001Default Accounts
Defense Impairment
-
T1112Modify Registry
Credential Access
-
T1003OS Credential Dumping -
T1003.001LSASS Memory -
T1003.002Security Account Manager -
T1003.004LSA Secrets -
T1110Brute Force -
T1110.003Password Spraying -
T1552.001Credentials In Files
Discovery
-
T1018Remote System Discovery -
T1046Network Service Discovery -
T1654Log Enumeration
Lateral Movement
-
T1021Remote Services -
T1210Exploitation of Remote Services -
T1550.002Pass the Hash -
T1570Lateral Tool Transfer
Collection
-
T1005Data from Local System -
T1114Email Collection -
T1119Automated Collection -
T1125Video Capture -
T1560Archive Collected Data
Command and Control
-
T1071.004DNS -
T1090.003Multi-hop Proxy -
T1095Non-Application Layer Protocol -
T1571Non-Standard Port -
T1572Protocol Tunneling
Exfiltration
-
T1567.002Exfiltration to Cloud Storage
Impact
-
T1491.002External Defacement -
T1561.002Disk Structure Wipe
Tools & malware (11)
P.A.S. Webshell · CrackMapExec · Responder · ngrok · reGeorg · WhisperGate · Saint Bot · PsExec · Rclone · BloodHound · Impacket
Reporting (3)
- Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure — US Cybersecurity & Infrastructure Security Agency et al
- Cadet Blizzard emerges as a novel and distinct Russian threat actor — Microsoft Threat Intelligence
- Who is EMBER BEAR? — CrowdStrike