G1003 · 64 ATT&CK techniques · 0 correlated reports

Ember Bear

Aliases: UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas. Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022. There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.

Open interactive actor investigation

ATT&CK techniques

T1018
Remote System Discovery T1003
OS Credential Dumping T1090.003
Multi-hop Proxy T1114
Email Collection T1583
Acquire Infrastructure T1560
Archive Collected Data T1036
Masquerading T1595.002
Vulnerability Scanning T1583.003
Virtual Private Server T1654
Log Enumeration T1190
Exploit Public-Facing Application T1133
External Remote Services T1119
Automated Collection T1571
Non-Standard Port T1070.004
File Deletion T1570
Lateral Tool Transfer T1095
Non-Application Layer Protocol T1125
Video Capture T1572
Protocol Tunneling T1110
Brute Force T1588.001
Malware T1110.003
Password Spraying T1595.001
Scanning IP Blocks T1505.003
Web Shell T1585
Establish Accounts T1491.002
External Defacement T1053.005
Scheduled Task T1210
Exploitation of Remote Services T1059.001
PowerShell T1112
Modify Registry T1071.004
DNS T1550.002
Pass the Hash T1567.002
Exfiltration to Cloud Storage T1588.005
Exploits T1195
Supply Chain Compromise T1562.001
Disable or Modify Tools T1005
Data from Local System T1561.002
Disk Structure Wipe T1203
Exploitation for Client Execution T1036.005
Match Legitimate Name or Location T1552.001
Credentials In Files T1003.001
LSASS Memory T1047
Windows Management Instrumentation T1021
Remote Services T1003.004
LSA Secrets T1003.002
Security Account Manager T1078.001
Default Accounts T1046
Network Service Discovery T1566.001
Spearphishing Attachment T1588.002
Tool T1588.003
Code Signing Certificates T1218.002
Control Panel T1027
Obfuscated Files or Information T1553.002
Code Signing T1027.002
Software Packing T1105
Ingress Tool Transfer T1059.007
JavaScript T1102
Web Service T1027.001
Binary Padding T1566.002
Spearphishing Link T1059.003
Windows Command Shell T1027.010
Command Obfuscation T1204.002
Malicious File T1204.001
Malicious Link

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research