← All Threat Actors
Threat Actor Profile

Ember Bear

Bleeding Bear Cadet Blizzard Callisto DEV-0586 Frozenvista G1003 Greyscale LorecBear UAC-0056 UNC2589 Unit 29155
▲ High Threat
[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](https://attack.mitre.org/groups/G1003) conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether [Ember Bear](https://attack.mitre.org/groups/G1003) overlaps with another Russian-linked entity referred to as [Saint Bear](https://attack.mitre.org/groups/G1031). At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Origin

Known TTPs

Remote System Discovery
OS Credential Dumping
Multi-hop Proxy
Email Collection
Acquire Infrastructure
Archive Collected Data
Masquerading
Vulnerability Scanning
Virtual Private Server
Log Enumeration
Exploit Public-Facing Application
External Remote Services
Automated Collection
Non-Standard Port
File Deletion
Lateral Tool Transfer
Non-Application Layer Protocol
Video Capture
Protocol Tunneling
Brute Force
Malware
Password Spraying
Scanning IP Blocks
Web Shell
Establish Accounts
External Defacement
Scheduled Task
Exploitation of Remote Services
PowerShell
Modify Registry
DNS
Pass the Hash
Exfiltration to Cloud Storage
Exploits
Supply Chain Compromise
Data from Local System
Disk Structure Wipe
Exploitation for Client Execution
Match Legitimate Resource Name or Location
Credentials In Files
LSASS Memory
Windows Management Instrumentation
Remote Services
LSA Secrets
Security Account Manager
Default Accounts
Network Service Discovery

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD