Skip to content

G1003 Ember Bear

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia’s General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).5 Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.2 Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.135 There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.24

Item Value
ID G1003
Associated Names UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056
Version 2.1
Created 09 June 2022
Last Modified 25 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
UNC2589 3
Bleeding Bear 1
DEV-0586 2
Cadet Blizzard 2
Frozenvista 5
UAC-0056 5

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure Ember Bear uses services such as IVPN, SurfShark, and Tor to add anonymization to operations.2
enterprise T1583.003 Virtual Private Server Ember Bear has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.5
enterprise T1595 Active Scanning -
enterprise T1595.001 Scanning IP Blocks Ember Bear has targeted IP ranges for vulnerability scanning related to government and critical infrastructure organizations.5
enterprise T1595.002 Vulnerability Scanning Ember Bear has used publicly available tools such as MASSCAN and Acunetix for vulnerability scanning of public-facing infrastructure.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS Ember Bear has used DNS tunnelling tools, such as dnscat/2 and Iodine, for C2 purposes.5
enterprise T1560 Archive Collected Data Ember Bear has compressed collected data prior to exfiltration.5
enterprise T1119 Automated Collection Ember Bear engages in mass collection from compromised systems during intrusions.2
enterprise T1110 Brute Force Ember Bear used the su-bruteforce tool to brute force specific users using the su command.5
enterprise T1110.003 Password Spraying Ember Bear has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Ember Bear has used PowerShell commands to gather information from compromised systems, such as email servers.5
enterprise T1005 Data from Local System Ember Bear gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis.25
enterprise T1491 Defacement -
enterprise T1491.002 External Defacement Ember Bear is linked to the defacement of several Ukrainian organization websites.2
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe Ember Bear conducted destructive operations against victims, including disk structure wiping, via the WhisperGate malware in Ukraine.2
enterprise T1114 Email Collection Ember Bear attempts to collect mail from accessed systems and servers.25
enterprise T1585 Establish Accounts Ember Bear has created accounts on dark web forums to obtain various tools and malware.5
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Ember Bear has used tools such as Rclone to exfiltrate information from victim environments to cloud storage such as mega.nz.5
enterprise T1190 Exploit Public-Facing Application Ember Bear gains initial access to victim environments by exploiting external-facing services. Examples include exploitation of CVE-2021-26084 in Confluence servers; CVE-2022-41040, ProxyShell, and other vulnerabilities in Microsoft Exchange; and multiple vulnerabilities in open-source platforms such as content management systems.25
enterprise T1203 Exploitation for Client Execution Ember Bear has used exploits to enable follow-on execution of frameworks such as Meterpreter.5
enterprise T1210 Exploitation of Remote Services Ember Bear has used exploits for vulnerabilities such as MS17-010, also known as Eternal Blue, during operations.5
enterprise T1133 External Remote Services Ember Bear have used VPNs both for initial access to victim environments and for persistence within them following compromise.5
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Ember Bear uses the NirSoft AdvancedRun utility to disable Microsoft Defender Antivirus through stopping the WinDefend service on victim machines. Ember Bear disables Windows Defender via registry key changes.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Ember Bear deletes files related to lateral movement to avoid detection.2
enterprise T1570 Lateral Tool Transfer Ember Bear retrieves follow-on payloads direct from adversary-owned infrastructure for deployment on compromised hosts.2
enterprise T1654 Log Enumeration Ember Bear has enumerated SECURITY and SYSTEM log files during intrusions.5
enterprise T1036 Masquerading Ember Bear has renamed the legitimate Sysinternals tool procdump to alternative names such as dump64.exe to evade detection.2
enterprise T1036.005 Match Legitimate Resource Name or Location Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to java in victim environments.5
enterprise T1112 Modify Registry Ember Bear modifies registry values for anti-forensics and defense evasion purposes.2
enterprise T1046 Network Service Discovery Ember Bear has used tools such as NMAP for remote system discovery and enumeration in victim environments.5
enterprise T1095 Non-Application Layer Protocol Ember Bear uses socket-based tunneling utilities for command and control purposes such as NetCat and Go Simple Tunnel (GOST). These tunnels are used to push interactive command prompts over the created sockets.2 Ember Bear has also used reverse TCP connections from Meterpreter installations to communicate back with C2 infrastructure.5
enterprise T1571 Non-Standard Port Ember Bear has used various non-standard ports for C2 communication.5
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware Ember Bear has acquired malware and related tools from dark web forums.5
enterprise T1588.005 Exploits Ember Bear has obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories.5
enterprise T1003 OS Credential Dumping Ember Bear gathers credential material from target systems, such as SSH keys, to facilitate access to victim environments.2
enterprise T1003.001 LSASS Memory Ember Bear uses legitimate Sysinternals tools such as procdump to dump LSASS memory.25
enterprise T1003.002 Security Account Manager Ember Bear acquires victim credentials by extracting registry hives such as the Security Account Manager through commands such as reg save.25
enterprise T1003.004 LSA Secrets Ember Bear has used frameworks such as Impacket to dump LSA secrets for credential capture.5
enterprise T1572 Protocol Tunneling Ember Bear has used ProxyChains to tunnel protocols to internal networks.5
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Ember Bear has configured multi-hop proxies via ProxyChains within victim environments.5
enterprise T1021 Remote Services Ember Bear uses valid network credentials gathered through credential harvesting to move laterally within victim networks, often employing the Impacket framework to do so.2
enterprise T1018 Remote System Discovery Ember Bear has used tools such as Nmap and MASSCAN for remote service discovery.5
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Ember Bear uses remotely scheduled tasks to facilitate remote command execution on victim machines.2
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Ember Bear deploys web shells following initial access for either follow-on command execution or protocol tunneling. Example web shells used by Ember Bear include P0wnyshell, reGeorg, P.A.S. Webshell, and custom variants of publicly-available web shell examples.25
enterprise T1195 Supply Chain Compromise Ember Bear has compromised information technology providers and software developers providing services to targets of interest, building initial access to ultimate victims at least in part through compromise of service providers that work with the victim organizations.2
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Ember Bear has dumped configuration settings in accessed IP cameras including plaintext credentials.5
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Ember Bear has used pass-the-hash techniques for lateral movement in victim environments.5
enterprise T1078 Valid Accounts -
enterprise T1078.001 Default Accounts Ember Bear has abused default user names and passwords in externally-accessible IP cameras for initial access.5
enterprise T1125 Video Capture Ember Bear has exfiltrated images from compromised IP cameras.5
enterprise T1047 Windows Management Instrumentation Ember Bear has used WMI execution with password hashes for command execution and lateral movement.5

Software

ID Name References Techniques
S0521 BloodHound Ember Bear has used BloodHound to profile Active Directory environments.5 Domain Account:Account Discovery Local Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0488 CrackMapExec Ember Bear used CrackMapExec during intrusions.5 Domain Account:Account Discovery Password Spraying:Brute Force Password Guessing:Brute Force Brute Force PowerShell:Command and Scripting Interpreter File and Directory Discovery Local Storage Discovery Modify Registry Network Share Discovery Security Account Manager:OS Credential Dumping NTDS:OS Credential Dumping LSA Secrets:OS Credential Dumping Password Policy Discovery Domain Groups:Permission Groups Discovery Remote System Discovery At:Scheduled Task/Job System Network Configuration Discovery System Network Connections Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0357 Impacket Ember Bear has used Impacket for lateral movement and process execution in victim environments.25 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0508 ngrok Ember Bear used ngrok during intrusions against Ukrainian victims.2 Domain Generation Algorithms:Dynamic Resolution Exfiltration Over Web Service Protocol Tunneling Proxy Web Service
S0598 P.A.S. Webshell Ember Bear has used P.A.S. Webshell during intrusions.5 Local Account:Account Discovery Web Protocols:Application Layer Protocol Password Guessing:Brute Force Command and Scripting Interpreter Databases:Data from Information Repositories Data from Local System Deobfuscate/Decode Files or Information File and Directory Discovery Linux and Mac File and Directory Permissions Modification:File and Directory Permissions Modification File Deletion:Indicator Removal Ingress Tool Transfer Network Service Discovery Obfuscated Files or Information Web Shell:Server Software Component Software Discovery
S0029 PsExec Ember Bear has used PsExec through frameworks such as Impacket for remote command execution.5 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1040 Rclone Ember Bear has used Rclone to exfiltrate information from victim environments.5 Archive via Utility:Archive Collected Data Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery
S1187 reGeorg 2 Web Protocols:Application Layer Protocol Python:Command and Scripting Interpreter Ingress Tool Transfer Non-Application Layer Protocol Protocol Tunneling Proxy Remote Desktop Protocol:Remote Services SSH:Remote Services SMB/Windows Admin Shares:Remote Services Web Shell:Server Software Component
S0174 Responder Ember Bear has used Responder in intrusions.5 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing
S1018 Saint Bot Ember Bear has used Saint Bot during operations, but is distinct from the threat actor Saint Bear.5 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Debugger Evasion Deobfuscate/Decode Files or Information File and Directory Discovery Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Masquerading Match Legitimate Resource Name or Location:Masquerading Native API Obfuscated Files or Information Software Packing:Obfuscated Files or Information Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Dynamic-link Library Injection:Process Injection Asynchronous Procedure Call:Process Injection Process Hollowing:Process Injection Query Registry Scheduled Task:Scheduled Task/Job Regsvr32:System Binary Proxy Execution InstallUtil:System Binary Proxy Execution System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Malicious File:User Execution Malicious Link:User Execution Time Based Checks:Virtualization/Sandbox Evasion System Checks:Virtualization/Sandbox Evasion
S0689 WhisperGate Ember Bear is associated with WhisperGate use against multiple victims in Ukraine.213 Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Data Destruction Deobfuscate/Decode Files or Information Disk Structure Wipe:Disk Wipe Disk Content Wipe:Disk Wipe File and Directory Discovery Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Local Storage Discovery Masquerading Native API Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information Bootkit:Pre-OS Boot Process Hollowing:Process Injection Reflective Code Loading Security Software Discovery:Software Discovery InstallUtil:System Binary Proxy Execution Service Execution:System Services System Shutdown/Reboot System Checks:Virtualization/Sandbox Evasion Time Based Checks:Virtualization/Sandbox Evasion Web Service

References

  1. CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022. 

  2. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. 

  3. Sadowski, J; Hall, R. (2022, March 4). Responses to Russia’s Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022. 

  4. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  5. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.