G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
Analyst context for executives and security teams
Ember Bear matters because ATT&CK describes it as a Russian state-sponsored espionage group linked to GRU Unit 29155, with operations focused on Ukrainian government and telecommunications entities and critical infrastructure in Europe and the Americas. The related behaviors point to a practical defender concern: credential theft, Active Directory discovery, remote execution, tunneling/proxying, web shells, file collection, and destructive wiper activity via WhisperGate. For leaders, this is less about one malware family and more about whether the organization can withstand identity-driven intrusion, lateral movement, and potential disruption.
Executive priority
Prioritize this as a resilience and readiness question for identity, Windows administration pathways, critical infrastructure exposure, and incident response decision-making. Executives should ask whether privileged credentials, remote administration tools, web-facing servers, and outbound tunneling services are monitored well enough to support rapid containment and audit evidence. Because ATT&CK does not provide a group-level detection section or platforms, prioritization should be based on local exposure to the related techniques and software rather than assumptions of direct targeting.
Technical view
SOC and IR teams should validate coverage across the related ATT&CK relationships: OS credential dumping including LSASS, SAM, and LSA Secrets; remote services and WMI; scheduled tasks; PowerShell; remote system and network service discovery; masquerading; local data collection; and tools such as PsExec, Impacket, CrackMapExec, Responder, BloodHound, ngrok, Rclone, P.A.S. Webshell, reGeorg, Saint Bot, and WhisperGate. The strongest validation path is to map these relationships to actual telemetry sources, alert logic, and containment playbooks, especially around Windows identity infrastructure and web-accessible systems.
Likely telemetry
- Windows Security, Sysmon, EDR, and process creation logs for PowerShell, WMI, scheduled tasks, credential access indicators, and remote execution tooling
- Authentication and domain controller logs for abnormal account use, lateral movement, NTLM activity, and Active Directory enumeration patterns
- Network flow, DNS, proxy, and firewall logs for service discovery, tunneling, reverse proxy activity, and unusual outbound cloud-storage or tunnel destinations
- Web server logs, file integrity monitoring, and EDR telemetry for PHP web shells and proxy web shells such as P.A.S. Webshell and reGeorg
- File, command-line, and data transfer telemetry relevant to local collection and tools such as Rclone
Detection direction
- Do not treat tool names alone as sufficient detection: PsExec, ngrok, Rclone, BloodHound, Impacket, CrackMapExec, and Responder can overlap with legitimate administration, testing, or engineering activity.
- Tune detections around behavior chains: discovery followed by credential access, privileged authentication, remote execution, scheduled task creation, web shell access, tunneling, or file synchronization.
- Validate that credential dumping detections cover LSASS memory access, SAM access, and LSA Secrets, not only known tool hashes or filenames.
- Review allowlisted administrative utilities and remote management pathways because masquerading and legitimate-tool abuse can reduce the value of simple blocklists.
- Use relationship context to hunt for Active Directory attack-path discovery and lateral movement patterns, especially where BloodHound, CrackMapExec, Impacket, PsExec, WMI, or remote services appear together.
Mitigation priorities
- Start with identity hardening: reduce standing privilege, protect administrative accounts, monitor domain controllers, and limit credential exposure on endpoints.
- Restrict and monitor remote administration mechanisms such as PsExec-style execution, WMI, scheduled tasks, and remote services according to business need.
- Harden web-facing servers and monitor for web shells and proxy tunneling behavior, especially where PHP applications or externally reachable services exist.
- Control outbound tunneling and file synchronization paths with egress filtering, proxy logging, and review of sanctioned cloud storage usage.
- Improve resilience against destructive activity through tested backups, recovery procedures, segmentation, and incident response playbooks for rapid isolation.
Analyst notes and limits
The supplied ATT&CK object identifies Ember Bear aliases including UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, and UAC-0056. MITRE notes some confusion with Saint Bear but states available evidence strongly suggests distinct activities with different behavioral profiles. Relationship-derived context is central here because the group object itself has no explicit tactics, platforms, or detection text.
This take is limited to the supplied ATT&CK fields, references, and relationships. It does not assert current targeting, customer exposure, active exploitation, or guaranteed detection. Platforms and tactics are inferred only from related software and techniques, not from group-level platform or tactic fields.
Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1018 | Remote System Discovery | Ember Bear has used tools such as Nmap and MASSCAN for remote service discovery.[1] |
| Enterprise | T1003 | OS Credential Dumping | Ember Bear gathers credential material from target systems, such as SSH keys, to facilitate access to victim environments.[2] |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Ember Bear has configured multi-hop proxies via ProxyChains within victim environments.[1] |
| Enterprise | T1114 | Email Collection | Ember Bear attempts to collect mail from accessed systems and servers.[2][1] |
| Enterprise | T1583 | Acquire Infrastructure | Ember Bear uses services such as IVPN, SurfShark, and Tor to add anonymization to operations.[2] |
| Enterprise | T1560 | Archive Collected Data | Ember Bear has compressed collected data prior to exfiltration.[1] |
| Enterprise | T1036 | Masquerading | Ember Bear has renamed the legitimate Sysinternals tool procdump to alternative names such as |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | Ember Bear has used publicly available tools such as MASSCAN and Acunetix for vulnerability scanning of public-facing infrastructure.[1] |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | Ember Bear has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.[1] |
| Enterprise | T1654 | Log Enumeration | Ember Bear has enumerated SECURITY and SYSTEM log files during intrusions.[1] |
| Enterprise | T1190 | Exploit Public-Facing Application | Ember Bear gains initial access to victim environments by exploiting external-facing services. Examples include exploitation of CVE-2021-26084 in Confluence servers; CVE-2022-41040, ProxyShell, and other vulnerabilities in Microsoft Exchange; and multiple vulnerabilities in open-source platforms such as content management systems.[2][1] |
| Enterprise | T1133 | External Remote Services | Ember Bear have used VPNs both for initial access to victim environments and for persistence within them following compromise.[1] |
| Enterprise | T1119 | Automated Collection | Ember Bear engages in mass collection from compromised systems during intrusions.[2] |
| Enterprise | T1571 | Non-Standard Port | Ember Bear has used various non-standard ports for C2 communication.[1] |
| Enterprise | T1070.004 | File Deletion Sub-technique | Ember Bear deletes files related to lateral movement to avoid detection.[2] |
| Enterprise | T1570 | Lateral Tool Transfer | Ember Bear retrieves follow-on payloads direct from adversary-owned infrastructure for deployment on compromised hosts.[2] |
| Enterprise | T1095 | Non-Application Layer Protocol | Ember Bear uses socket-based tunneling utilities for command and control purposes such as NetCat and Go Simple Tunnel (GOST). These tunnels are used to push interactive command prompts over the created sockets.[2] Ember Bear has also used reverse TCP connections from Meterpreter installations to communicate back with C2 infrastructure.[1] |
| Enterprise | T1125 | Video Capture | Ember Bear has exfiltrated images from compromised IP cameras.[1] |
| Enterprise | T1572 | Protocol Tunneling | Ember Bear has used ProxyChains to tunnel protocols to internal networks.[1] |
| Enterprise | T1110 | Brute Force | Ember Bear used the `su-bruteforce` tool to brute force specific users using the `su` command.[1] |
| Enterprise | T1588.001 | Malware Sub-technique | Ember Bear has acquired malware and related tools from dark web forums.[1] |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Ember Bear has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.[1] |
| Enterprise | T1595.001 | Scanning IP Blocks Sub-technique | Ember Bear has targeted IP ranges for vulnerability scanning related to government and critical infrastructure organizations.[1] |
| Enterprise | T1505.003 | Web Shell Sub-technique | Ember Bear deploys web shells following initial access for either follow-on command execution or protocol tunneling. Example web shells used by Ember Bear include P0wnyshell, reGeorg, P.A.S. Webshell, and custom variants of publicly-available web shell examples.[2][1] |
| Enterprise | T1585 | Establish Accounts | Ember Bear has created accounts on dark web forums to obtain various tools and malware.[1] |
| Enterprise | T1491.002 | External Defacement Sub-technique | Ember Bear is linked to the defacement of several Ukrainian organization websites.[2] |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Ember Bear uses remotely scheduled tasks to facilitate remote command execution on victim machines.[2] |
| Enterprise | T1210 | Exploitation of Remote Services | Ember Bear has used exploits for vulnerabilities such as MS17-010, also known as `Eternal Blue`, during operations.[1] |
| Enterprise | T1059.001 | PowerShell Sub-technique | Ember Bear has used PowerShell commands to gather information from compromised systems, such as email servers.[1] |
| Enterprise | T1112 | Modify Registry | Ember Bear modifies registry values for anti-forensics and defense evasion purposes.[2] |
| Enterprise | T1071.004 | DNS Sub-technique | Ember Bear has used DNS tunnelling tools, such as dnscat/2 and Iodine, for C2 purposes.[1] |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | Ember Bear has used pass-the-hash techniques for lateral movement in victim environments.[1] |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Ember Bear has used tools such as Rclone to exfiltrate information from victim environments to cloud storage such as `mega.nz`.[1] |
| Enterprise | T1588.005 | Exploits Sub-technique | Ember Bear has obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories.[1] |
| Enterprise | T1195 | Supply Chain Compromise | Ember Bear has compromised information technology providers and software developers providing services to targets of interest, building initial access to ultimate victims at least in part through compromise of service providers that work with the victim organizations.[2] |
| Enterprise | T1005 | Data from Local System | Ember Bear gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis.[2][1] |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | Ember Bear conducted destructive operations against victims, including disk structure wiping, via the WhisperGate malware in Ukraine.[2] |
| Enterprise | T1203 | Exploitation for Client Execution | Ember Bear has used exploits to enable follow-on execution of frameworks such as Meterpreter.[1] |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to `java` in victim environments.[1] |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Ember Bear has dumped configuration settings in accessed IP cameras including plaintext credentials.[1] |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Ember Bear uses legitimate Sysinternals tools such as procdump to dump LSASS memory.[2][1] |
| Enterprise | T1047 | Windows Management Instrumentation | Ember Bear has used WMI execution with password hashes for command execution and lateral movement.[1] |
| Enterprise | T1021 | Remote Services | Ember Bear uses valid network credentials gathered through credential harvesting to move laterally within victim networks, often employing the Impacket framework to do so.[2] |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | Ember Bear has used frameworks such as Impacket to dump LSA secrets for credential capture.[1] |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Ember Bear acquires victim credentials by extracting registry hives such as the Security Account Manager through commands such as |
| Enterprise | T1078.001 | Default Accounts Sub-technique | Ember Bear has abused default user names and passwords in externally-accessible IP cameras for initial access.[1] |
| Enterprise | T1046 | Network Service Discovery | Ember Bear has used tools such as NMAP for remote system discovery and enumeration in victim environments.[1] |
Groups, software, and campaigns
S0598: P.A.S. Webshell
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]
S0488: CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
S0174: Responder
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [1]
S0508: ngrok
S1187: reGeorg
S0689: WhisperGate
WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[1][2][3]
S1018: Saint Bot
Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.[1][2]
S0029: PsExec
S1040: Rclone
S0521: BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
S0357: Impacket
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | e5c2595965fb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA GRU29155 2024
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
Open source URL -
[2]
Cadet Blizzard emerges as novel threat actor
Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
Open source URL -
[3]
CrowdStrike Ember Bear Profile March 2022
CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.
Open source URL -
[4]
Mandiant UNC2589 March 2022
Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.
Open source URL -
[5]
Palo Alto Unit 42 OutSteel SaintBot February 2022
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Open source URL -
[6]
Bleeding Bear
(Citation: CrowdStrike Ember Bear Profile March 2022)
-
[7]
Cadet Blizzard
(Citation: Cadet Blizzard emerges as novel threat actor)
-
[8]
DEV-0586
(Citation: Cadet Blizzard emerges as novel threat actor)
-
[9]
Frozenvista
(Citation: CISA GRU29155 2024)
-
[10]
UAC-0056
(Citation: CISA GRU29155 2024)
-
[11]
UNC2589
(Citation: Mandiant UNC2589 March 2022)
-
[12]
mitre-attack G1003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.