Ember Bear

Last Updated

Also known as: Ember Bear, UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056, EMBER BEAR, Ruinous Ursa

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia’s General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). CISA GRU29155 2024 Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas. Cadet Blizzard emerges as novel threat actor Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022. CrowdStrike Ember Bear Profile March 2022 Mandiant UNC2589 March 2022 CISA GRU29155 2024 There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles. Cadet Blizzard emerges as novel threat actor Palo Alto Unit 42 OutSteel SaintBot February 2022

🌍 Country Russia
πŸ“ Last Updated
🎯 Incident Type Sabotage
🧭 ATT&CK G1003

Targeted Victims

Ukraine

Introduction

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia’s General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). CISA GRU29155 2024 Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas. Cadet Blizzard emerges as novel threat actor Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022. CrowdStrike Ember Bear Profile March 2022 Mandiant UNC2589 March 2022 CISA GRU29155 2024 There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles. Cadet Blizzard emerges as novel threat actor Palo Alto Unit 42 OutSteel SaintBot February 2022

Activities and Tactics

Country of Origin: πŸ‡·πŸ‡Ί Russia

Incident Type: Sabotage

Suspected Victims: Ukraine

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Wiper:
  • CyberGate:
  • Cyber Eye RAT:
  • Blizzard:

Russian APT Tool Matrix observations

Category Observed tools
Discovery Acunetix, Adminer, Amass, Bloodhound, Droopescan, JoomScan, LdapDomainDump, Masscan, Nmap, WPScan
Exfiltration MEGA, Rclone
LOLBAS PsExec
Networking GOST, Iodine, ProxyChains, ReGeorg, dnscat2
OffSec CrackMapExec, Impacket, LinPEAS, Metasploit, Meterpreter, NetCat, PAS Web Shell, Responder, WSO Web Shell

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

[1] MITRE ATT&CK MITRE ATT&CK entry [2] CISA GRU29155 2024 [3] Cadet Blizzard emerges as novel threat actor [4] CrowdStrike Ember Bear Profile March 2022 [5] Mandiant UNC2589 March 2022 [6] Palo Alto Unit 42 OutSteel SaintBot February 2022