Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Ember Bear
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Ember Bear
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Ember Bear

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
ID: G1003
Associated Groups: UNC2589, Bleeding Bear, UAC-0056, Frozenvista, Cadet Blizzard, DEV-0586
Version: 2.1
Created: 09 Jun 2022
Last Modified: 25 Apr 2025

Associated Group Descriptions
Name Description
UNC2589 (Citation: Mandiant UNC2589 March 2022)
Bleeding Bear (Citation: CrowdStrike Ember Bear Profile March 2022)
UAC-0056 (Citation: CISA GRU29155 2024)
Frozenvista (Citation: CISA GRU29155 2024)
Cadet Blizzard (Citation: Cadet Blizzard emerges as novel threat actor)
DEV-0586 (Citation: Cadet Blizzard emerges as novel threat actor)

Techniques Used
Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

Ember Bear has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.(Citation: CISA GRU29155 2024)
Enterprise T1595 .001 Active Scanning: Scanning IP Blocks

Ember Bear has targeted IP ranges for vulnerability scanning related to government and critical infrastructure organizations.(Citation: CISA GRU29155 2024)
.002 Active Scanning: Vulnerability Scanning

Ember Bear has used publicly available tools such as MASSCAN and Acunetix for vulnerability scanning of public-facing infrastructure.(Citation: CISA GRU29155 2024)

Enterprise T1071 .004 Application Layer Protocol: DNS

Ember Bear has used DNS tunnelling tools, such as dnscat/2 and Iodine, for C2 purposes.(Citation: CISA GRU29155 2024)
Enterprise T1110 .003 Brute Force: Password Spraying

Ember Bear has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.(Citation: CISA GRU29155 2024)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Ember Bear has used PowerShell commands to gather information from compromised systems, such as email servers.(Citation: CISA GRU29155 2024)
.001 Command and Scripting Interpreter: PowerShell

Ember Bear has used PowerShell to download and execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.003 Command and Scripting Interpreter: Windows Command Shell

Ember Bear had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.007 Command and Scripting Interpreter: JavaScript

Ember Bear has used JavaScript to execute malicious code on a victim's machine.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1491 .002 Defacement: External Defacement

Ember Bear is linked to the defacement of several Ukrainian organization websites.(Citation: Cadet Blizzard emerges as novel threat actor)
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Ember Bear conducted destructive operations against victims, including disk structure wiping, via the WhisperGate malware in Ukraine.(Citation: Cadet Blizzard emerges as novel threat actor)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Ember Bear has used tools such as Rclone to exfiltrate information from victim environments to cloud storage such as `mega.nz`.(Citation: CISA GRU29155 2024)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Ember Bear uses the NirSoft AdvancedRun utility to disable Microsoft Defender Antivirus through stopping the WinDefend service on victim machines. Ember Bear disables Windows Defender via registry key changes.(Citation: Cadet Blizzard emerges as novel threat actor)
.001 Impair Defenses: Disable or Modify Tools

Ember Bear has executed a batch script designed to disable Windows Defender on a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1070 .004 Indicator Removal: File Deletion

Ember Bear deletes files related to lateral movement to avoid detection.(Citation: Cadet Blizzard emerges as novel threat actor)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to `java` in victim environments.(Citation: CISA GRU29155 2024)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Ember Bear uses legitimate Sysinternals tools such as procdump to dump LSASS memory.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: CISA GRU29155 2024)
.002 OS Credential Dumping: Security Account Manager

Ember Bear acquires victim credentials by extracting registry hives such as the Security Account Manager through commands such as reg save.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: CISA GRU29155 2024)

.004 OS Credential Dumping: LSA Secrets

Ember Bear has used frameworks such as Impacket to dump LSA secrets for credential capture.(Citation: CISA GRU29155 2024)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
.002 Obfuscated Files or Information: Software Packing

Ember Bear has packed malware to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1588 .001 Obtain Capabilities: Malware

Ember Bear has acquired malware and related tools from dark web forums.(Citation: CISA GRU29155 2024)
.002 Obtain Capabilities: Tool

Ember Bear has obtained and used open source scripts from GitHub.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.003 Obtain Capabilities: Code Signing Certificates

Ember Bear has stolen legitimate certificates to sign malicious payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.005 Obtain Capabilities: Exploits

Ember Bear has obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories.(Citation: CISA GRU29155 2024)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Ember Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.002 Phishing: Spearphishing Link

Ember Bear has sent spearphishing emails containing malicious links.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Ember Bear has configured multi-hop proxies via ProxyChains within victim environments.(Citation: CISA GRU29155 2024)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Ember Bear uses remotely scheduled tasks to facilitate remote command execution on victim machines.(Citation: Cadet Blizzard emerges as novel threat actor)
Enterprise T1505 .003 Server Software Component: Web Shell

Ember Bear deploys web shells following initial access for either follow-on command execution or protocol tunneling. Example web shells used by Ember Bear include P0wnyshell, reGeorg, P.A.S. Webshell, and custom variants of publicly-available web shell examples.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: CISA GRU29155 2024)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Ember Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1218 .002 System Binary Proxy Execution: Control Panel

Ember Bear has used control panel files (CPL), delivered via e-mail, for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Ember Bear has dumped configuration settings in accessed IP cameras including plaintext credentials.(Citation: CISA GRU29155 2024)
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Ember Bear has used pass-the-hash techniques for lateral movement in victim environments.(Citation: CISA GRU29155 2024)
Enterprise T1204 .001 User Execution: Malicious Link

Ember Bear has attempted to lure users to click on a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
.002 User Execution: Malicious File

Ember Bear has attempted to lure victims into executing malicious files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1078 .001 Valid Accounts: Default Accounts

Ember Bear has abused default user names and passwords in externally-accessible IP cameras for initial access.(Citation: CISA GRU29155 2024)

Software
ID Name References Techniques
S0521 BloodHound (Citation: CISA GRU29155 2024) (Citation: CrowdStrike BloodHound April 2018) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) System Owner/User Discovery, Group Policy Discovery, Domain Account, Local Account, Domain Groups, Native API, Archive Collected Data, Domain Trust Discovery, PowerShell, Local Groups, Password Policy Discovery, Remote System Discovery
S1187 reGeorg (Citation: Cadet Blizzard emerges as novel threat actor) (Citation: Fortinet reGeorg MAR 2019) (Citation: GitHub reGeorg 2016) SSH, SMB/Windows Admin Shares, Protocol Tunneling, Web Shell, Proxy, Non-Application Layer Protocol, Python, Web Protocols, Ingress Tool Transfer, Remote Desktop Protocol
S0357 Impacket (Citation: CISA GRU29155 2024) (Citation: Cadet Blizzard emerges as novel threat actor) (Citation: Impacket Tools) Windows Management Instrumentation, Security Account Manager, LSA Secrets, Network Sniffing, Ccache Files, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Lateral Tool Transfer, NTDS, Service Execution, Kerberoasting
S0508 ngrok (Citation: Cadet Blizzard emerges as novel threat actor) (Citation: Cyware Ngrok May 2019) (Citation: FireEye Maze May 2020) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Zdnet Ngrok September 2018) Domain Generation Algorithms, Exfiltration Over Web Service, Protocol Tunneling, Proxy, Web Service
S0598 P.A.S. Webshell (Citation: ANSSI Sandworm January 2021) (Citation: CISA GRU29155 2024) (Citation: Fobushell) (Citation: NCCIC AR-17-20045 February 2017) Linux and Mac File and Directory Permissions Modification, Password Guessing, Local Account, Data from Local System, Deobfuscate/Decode Files or Information, Web Shell, Command and Scripting Interpreter, File and Directory Discovery, Obfuscated Files or Information, Data from Information Repositories, File Deletion, Web Protocols, Network Service Discovery, Software Discovery, Ingress Tool Transfer
S0689 WhisperGate (Citation: Cadet Blizzard emerges as novel threat actor) (Citation: CrowdStrike Ember Bear Profile March 2022) (Citation: Cybereason WhisperGate February 2022) (Citation: Mandiant UNC2589 March 2022) (Citation: Microsoft WhisperGate January 2022) (Citation: Unit 42 WhisperGate January 2022) Disk Structure Wipe, Encrypted/Encoded File, Bootkit, System Checks, InstallUtil, Network Share Discovery, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Masquerading, Reflective Code Loading, Time Based Evasion, Create Process with Token, File and Directory Discovery, Web Service, PowerShell, Disable or Modify Tools, Process Hollowing, Security Software Discovery, Windows Command Shell, Data Destruction, File Deletion, Web Protocols, Visual Basic, Ingress Tool Transfer, Service Execution, Disk Content Wipe, System Shutdown/Reboot
S1040 Rclone (Citation: CISA GRU29155 2024) (Citation: DFIR Conti Bazar Nov 2021) (Citation: DarkSide Ransomware Gang) (Citation: Detecting Rclone) (Citation: Rclone Wars) (Citation: Rclone) Archive via Utility, File and Directory Discovery, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration to Cloud Storage, Data Transfer Size Limits, Exfiltration Over Unencrypted Non-C2 Protocol
S1018 Saint Bot (Citation: CISA GRU29155 2024) (Citation: Malwarebytes Saint Bot April 2021) (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) Scheduled Task, System Owner/User Discovery, Standard Encoding, Bypass User Account Control, Match Legitimate Resource Name or Location, Malicious File, System Checks, Spearphishing Link, InstallUtil, Spearphishing Attachment, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Masquerading, Time Based Evasion, System Network Configuration Discovery, File and Directory Discovery, Asynchronous Procedure Call, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Hijack Execution Flow, Process Hollowing, Obfuscated Files or Information, Regsvr32, Query Registry, System Location Discovery, Windows Command Shell, File Deletion, Software Packing, Web Protocols, Visual Basic, Debugger Evasion, Ingress Tool Transfer, Malicious Link, Dynamic-link Library Injection
S1018 Saint Bot (Citation: Malwarebytes Saint Bot April 2021) (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) Scheduled Task, System Owner/User Discovery, Standard Encoding, Bypass User Account Control, Match Legitimate Resource Name or Location, Malicious File, System Checks, Spearphishing Link, InstallUtil, Spearphishing Attachment, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Masquerading, Time Based Evasion, System Network Configuration Discovery, File and Directory Discovery, Asynchronous Procedure Call, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Hijack Execution Flow, Process Hollowing, Obfuscated Files or Information, Regsvr32, Query Registry, System Location Discovery, Windows Command Shell, File Deletion, Software Packing, Web Protocols, Visual Basic, Debugger Evasion, Ingress Tool Transfer, Malicious Link, Dynamic-link Library Injection
S0174 Responder (Citation: CISA GRU29155 2024) (Citation: GitHub Responder) Network Sniffing, LLMNR/NBT-NS Poisoning and SMB Relay
S1017 OutSteel (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) Match Legitimate Resource Name or Location, Malicious File, Spearphishing Link, Spearphishing Attachment, Automated Collection, AutoHotKey & AutoIT, Data from Local System, Automated Exfiltration, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Lateral Tool Transfer, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer, Malicious Link
S0488 CrackMapExec (Citation: CISA GRU29155 2024) (Citation: CME Github September 2018) Windows Management Instrumentation, Password Guessing, Security Account Manager, LSA Secrets, Domain Account, Domain Groups, Network Share Discovery, System Information Discovery, Modify Registry, Password Spraying, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, PowerShell, Brute Force, Password Policy Discovery, Remote System Discovery, Pass the Hash, NTDS, At
S0029 PsExec (Citation: CISA GRU29155 2024) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  2. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  3. Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.
  4. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  5. CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.