Ember Bear

OriginRússia

Techniques (MITRE ATT&CK)47

SourceMITRE ATT&CK

Also known as:UNC2589Bleeding BearDEV-0586Cadet BlizzardFrozenvistaUAC-0056

Vexday analysis

Ember Bear é um grupo de espionagem cibernética patrocinado pelo Estado russo, ativo desde pelo menos 2020 e vinculado ao Centro de Treinamento Especializado 161 (Unidade 29155) da Diretoria de Inteligência do Estado-Maior das Forças Armadas da Rússia (GRU). O grupo conduziu ataques destrutivos com o wiper WhisperGate contra a Ucrânia no início de 2022, com foco principal em entidades governamentais e de telecomunicações ucranianas, além de operações contra infraestruturas críticas na Europa e nas Américas. Também rastreado pelos aliases Cadet Blizzard, UNC2589, UAC-0056 e outros, o grupo possui 47 técnicas documentadas no MITRE ATT&CK e 5 CVEs a ele atribuídas.

Techniques (MITRE ATT&CK) 47

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance

Scanning IP Blocks Vulnerability Scanning

Resource development

Acquire Infrastructure Virtual Private Server Establish Accounts Malware Exploits

Initial access

Exploit Public-Facing Application Supply Chain Compromise

Execution

Windows Management Instrumentation Scheduled Task PowerShell Exploitation for Client Execution

Persistence

External Remote Services Web Shell

Credential access

OS Credential Dumping LSASS Memory Security Account Manager LSA Secrets Brute Force Password Spraying Credentials In Files

Discovery

Remote System Discovery Network Service Discovery Log Enumeration

Lateral movement

Remote Services Exploitation of Remote Services Pass the Hash Lateral Tool Transfer

Collection

Data from Local System Email Collection Automated Collection Video Capture Archive Collected Data

Command and control

DNS Multi-hop Proxy Non-Application Layer Protocol Non-Standard Port Protocol Tunneling

Exfiltration

Exfiltration to Cloud Storage

Impact

External Defacement Disk Structure Wipe

defense-impairment

Modify Registry

stealth

Masquerading Match Legitimate Resource Name or Location File Deletion Default Accounts

Exploited vulnerabilities 5

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2021-26084CRITICALEPSS 100%KEV CVE-2022-41040HIGHEPSS 100%KEV CVE-2014-7169CRITICALEPSS 100%KEV CVE-2016-6662EPSS 68%CVE-2017-0176EPSS 46%

Ember Bear uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →