Ember Bear | APT Profile

Description

[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](https://attack.mitre.org/groups/G1003) conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether [Ember Bear](https://attack.mitre.org/groups/G1003) overlaps with another Russian-linked entity referred to as [Saint Bear](https://attack.mitre.org/groups/G1031). At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Techniques Used (TTPs)

T1018 — Remote System Discovery (discovery)
T1003 — OS Credential Dumping (credential-access)
T1090.003 — Multi-hop Proxy (command-and-control)
T1114 — Email Collection (collection)
T1583 — Acquire Infrastructure (resource-development)
T1560 — Archive Collected Data (collection)
T1036 — Masquerading (defense-evasion)
T1595.002 — Vulnerability Scanning (reconnaissance)
T1583.003 — Virtual Private Server (resource-development)
T1654 — Log Enumeration (discovery)
T1190 — Exploit Public-Facing Application (initial-access)
T1133 — External Remote Services (persistence, initial-access)
T1119 — Automated Collection (collection)
T1571 — Non-Standard Port (command-and-control)
T1070.004 — File Deletion (defense-evasion)
T1570 — Lateral Tool Transfer (lateral-movement)
T1095 — Non-Application Layer Protocol (command-and-control)
T1125 — Video Capture (collection)
T1572 — Protocol Tunneling (command-and-control)
T1110 — Brute Force (credential-access)
T1588.001 — Malware (resource-development)
T1110.003 — Password Spraying (credential-access)
T1595.001 — Scanning IP Blocks (reconnaissance)
T1505.003 — Web Shell (persistence)
T1585 — Establish Accounts (resource-development)
T1491.002 — External Defacement (impact)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1210 — Exploitation of Remote Services (lateral-movement)
T1059.001 — PowerShell (execution)
T1112 — Modify Registry (defense-evasion, persistence)
T1071.004 — DNS (command-and-control)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1588.005 — Exploits (resource-development)
T1195 — Supply Chain Compromise (initial-access)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1005 — Data from Local System (collection)
T1561.002 — Disk Structure Wipe (impact)
T1203 — Exploitation for Client Execution (execution)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1552.001 — Credentials In Files (credential-access)
T1003.001 — LSASS Memory (credential-access)
T1047 — Windows Management Instrumentation (execution)
T1021 — Remote Services (lateral-movement)
T1003.004 — LSA Secrets (credential-access)
T1003.002 — Security Account Manager (credential-access)
T1078.001 — Default Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1046 — Network Service Discovery (discovery)

Total TTPs: 48

Malware & Tools

Malware: P.A.S. Webshell, Saint Bot, WhisperGate, reGeorg

Tools: BloodHound, CrackMapExec, Impacket, PsExec, Rclone, Responder, ngrok

← Return to Home ← Back to APT Search