Ember Bear (G1003): Russian Cyber Espionage and Destructive Operations
- Suspected Origin
- Russia
- Motivation
- Espionage, Sabotage, Reputational Harm, Information Gathering, Disrupting Aid Efforts to Ukraine
- Aliases
- UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056
- Target Sectors
- Government, Telecommunications, Critical Infrastructure (Energy, Financial Services, Transportation, Healthcare), Defense, IT Service Providers
- Associated Malware
- WhisperGate, OutSteel, GraphSteel, GrimPlant, SaintBot, Raspberry Robin, Cobalt Strike, Meterpreter, P.A.S. Webshell
Overview
Ember Bear, identified by MITRE ATT&CK as G1003, is a highly active and dangerous Russian state-sponsored cyber espionage group. The group operates under the direction of Russia’s General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center, also known as Unit 29155. Active since at least 2020, Ember Bear’s primary objectives include cyber espionage, data exfiltration for intelligence gathering, and causing reputational harm through data leaks. They have also demonstrated a significant capability for destructive operations, notably exemplified by the WhisperGate wiper attacks. While initially focusing on Ukrainian government and telecommunications entities, Ember Bear has expanded its targeting to include critical infrastructure sectors—such as government services, financial services, transportation systems, energy, and healthcare—across Europe, the Americas (North and Latin America), and Central Asia.
The group is known by numerous aliases, including UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, and UAC-0056, reflecting various security vendors’ tracking efforts. It’s important to note that while some early reporting caused confusion, current evidence strongly suggests Ember Bear is distinct from another Russian-linked entity, Saint Bear, despite some shared tooling. The FBI assesses that Unit 29155 cyber actors often include junior active-duty GRU officers who are gaining experience under the direction of seasoned leadership, and the group also reportedly relies on non-GRU actors, including known cyber-criminals, to conduct operations. Their operations are often coordinated with broader geopolitical objectives, as seen in their activity preceding and during Russia’s invasion of Ukraine.
Tactics & Techniques
Ember Bear employs a diverse set of tactics, techniques, and procedures (TTPs) to achieve its objectives, often leveraging publicly available tools alongside custom malware. Initial access is frequently gained through exploiting external-facing services and public vulnerabilities in common platforms. This includes exploiting vulnerabilities in Confluence servers (e.g., CVE-2021-26084, CVE-2022-26134, CVE-2022-26138), Microsoft Exchange (e.g., CVE-2022-41040, ProxyShell), and various open-source content management systems. They also engage in password spraying against services like Outlook Web Access (OWA) to acquire valid credentials. The group uses legitimate Sysinternals tools like procdump to dump LSASS memory for credential capture and extracts registry hives such as the Security Account Manager.
For reconnaissance, Ember Bear performs extensive vulnerability scanning of public-facing infrastructure using tools like MASSCAN and Acunetix, and targets specific IP ranges for government and critical infrastructure organizations. They also conduct account discovery, including domain and local accounts, and profile Active Directory environments using tools like BloodHound.
Persistence is often achieved through web shells and by establishing footholds in compromised networks for months, exfiltrating data before carrying out disruptive actions. Lateral movement within networks is facilitated by frameworks such as Impacket, which they also use for remote command execution via tools like PsExec. Command and Control (C2) infrastructure often involves virtual private servers (VPSs) and DNS tunneling tools like dnscat/2 and Iodine, with C2 communication occurring over various non-standard ports. To maintain anonymity, Ember Bear uses services such as IVPN, SurfShark, and Tor.
Ember Bear collects vast amounts of data from compromised systems, including mail from accessed systems and servers, and system information like volume enumerations and event logs. This collected data is often compressed before exfiltration to cloud storage services such as mega.nz using tools like Rclone. They also conduct “hack-and-leak” operations, posting exfiltrated information on public websites or via Telegram channels.
Notable Campaigns
Ember Bear has been implicated in several significant cyber campaigns:
- WhisperGate Destructive Wiper Attacks (Early 2022): This is arguably their most well-known campaign, preceding Russia’s full-scale invasion of Ukraine in February 2022. Beginning as early as January 13, 2022, Ember Bear deployed WhisperGate malware against numerous Ukrainian government and critical infrastructure organizations. The malware, which masqueraded as ransomware, was designed to overwrite the Master Boot Record (MBR) and corrupt files, rendering systems inoperable with no intention of data recovery, effectively serving as a destructive wiper. These attacks were seen as a preemptive strike to prepare for military operations and sow chaos.
- Website Defacements: Ember Bear is linked to the defacement of several Ukrainian organization websites. This activity, often coupled with hack-and-leak operations, was observed to peak in early 2022 and re-emerge in January 2023.
- Espionage Against Ukrainian and Georgian Entities: Since at least 2021, Ember Bear (under aliases like UAC-0056 and Lorec53) has engaged in spear-phishing campaigns targeting Ukrainian and Georgian government organizations, telecommunications, and critical infrastructure, often with themes related to current political events or law enforcement. These campaigns aimed to steal documents and establish persistent access for intelligence gathering.
- Targeting Aid Efforts to Ukraine: More recently, the group’s focus appears to include targeting and disrupting aid efforts to Ukraine.
Associated Malware & Tools
Ember Bear is known for utilizing a mix of custom malware, publicly available tools, and legitimate system utilities in their operations:
- WhisperGate: A destructive wiper malware deployed against Ukrainian entities in early 2022, designed to make systems inoperable by corrupting the Master Boot Record (MBR) and files.
- OutSteel: A document stealer used in spear-phishing campaigns, particularly against Ukrainian energy organizations.
- GraphSteel & GrimPlant: Backdoor malware strains used for persistent access and further compromise, often delivered via spear-phishing campaigns, including those employing fake Ukrainian translation software.
- SaintBot: A downloader often delivered via spear-phishing to install additional payloads like OutSteel.
- Raspberry Robin: This malware may have been used by Unit 29155 cyber actors in the role of an access broker.
- Cobalt Strike: A legitimate penetration testing tool frequently abused by threat actors for post-exploitation activities, including backdoor access and lateral movement.
- Meterpreter: An advanced payload from the Metasploit Framework used for post-exploitation.
- P.A.S. Webshell: A web shell used for persistent access to compromised systems.
- BloodHound: Used to profile Active Directory environments.
- CrackMapExec: Used during intrusions for network reconnaissance and credential gathering.
- Impacket: A collection of Python classes for programmatic access to network protocols, used for lateral movement and process execution.
- ngrok: A legitimate tool that exposes local servers to the internet, observed in Ember Bear intrusions against Ukrainian victims.
- PsExec: A Sysinternals tool used for remote command execution.
- Rclone: A cloud sync tool used to exfiltrate information to cloud storage services like mega.nz.
- Responder: A tool used for network-based attacks, including NTLM relaying.
- MASSCAN & Acunetix: Publicly available tools used for vulnerability scanning.
- dnscat/2 & Iodine: DNS tunneling tools for C2 purposes.
- su-bruteforce: A tool used for brute-forcing user accounts via the
sucommand. - IVPN, SurfShark, Tor: Services used for operational anonymization.
- PowerShell, Windows Command Shell, Visual Basic: Used for command and scripting interpretation, data gathering, and other operational tasks.
Current Status
Ember Bear (G1003) remains an Active and evolving threat. Microsoft observed a peak in activity between January and June 2022, followed by a period of reduced operations. However, the group re-emerged in January 2023 with increased operations against entities in Ukraine and Europe, including renewed website defacements and hack-and-leak operations via a “Free Civilian” Telegram channel.
Recent advisories from September 2024 indicate continued operations by GRU Unit 29155 (Ember Bear) targeting critical infrastructure sectors in NATO member states, Europe, North America, Latin America, and Central Asia. These activities include ongoing domain scanning across numerous NATO and EU countries, as well as website defacements, data exfiltration, and data leak operations. The FBI has issued federal arrest warrants in August 2024 for six individuals (five GRU officers and one civilian) associated with GRU Unit 29155 for their alleged involvement in cyber activities from December 2020 to August 2024, including the deployment of WhisperGate and targeting critical infrastructure.
The group’s recent focus appears to include targeting and disrupting aid efforts to Ukraine. Ember Bear often conducts operations during European off-business hours and is a persistent presence in compromised networks for months, prioritizing data exfiltration before destructive actions. This demonstrates their ongoing commitment to supporting Russian geopolitical objectives through cyber means.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call