Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
Associated Group Descriptions
| Name | Description |
|---|---|
| UNC2589 | |
| Bleeding Bear | |
| DEV-0586 | |
| Cadet Blizzard | |
| Frozenvista | |
| UAC-0056 |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Ember Bear has used WMI execution with password hashes for command execution and lateral movement.[1] |
|
| Enterprise | T1595 | .001 | 主动扫描: Scanning IP Blocks |
Ember Bear has targeted IP ranges for vulnerability scanning related to government and critical infrastructure organizations.[1] |
| .002 | 主动扫描: Vulnerability Scanning |
Ember Bear has used publicly available tools such as MASSCAN and Acunetix for vulnerability scanning of public-facing infrastructure.[1] |
||
| Enterprise | T1005 | 从本地系统获取数据 |
Ember Bear gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis.[2][1] |
|
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy |
Ember Bear has configured multi-hop proxies via ProxyChains within victim environments.[1] |
| Enterprise | T1036 | 伪装 |
Ember Bear has renamed the legitimate Sysinternals tool procdump to alternative names such as |
|
| .005 | Match Legitimate Name or Location |
Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to |
||
| Enterprise | T1550 | .002 | 使用备用认证材料: Pass the Hash |
Ember Bear has used pass-the-hash techniques for lateral movement in victim environments.[1] |
| Enterprise | T1195 | 供应链破坏 |
Ember Bear has compromised information technology providers and software developers providing services to targets of interest, building initial access to ultimate victims at least in part through compromise of service providers that work with the victim organizations.[2] |
|
| Enterprise | T1112 | 修改注册表 |
Ember Bear modifies registry values for anti-forensics and defense evasion purposes.[2] |
|
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Ember Bear gains initial access to victim environments by exploiting external-facing services. Examples include exploitation of CVE-2021-26084 in Confluence servers; CVE-2022-41040, ProxyShell, and other vulnerabilities in Microsoft Exchange; and multiple vulnerabilities in open-source platforms such as content management systems.[2][1] |
|
| Enterprise | T1572 | 协议隧道 |
Ember Bear has used ProxyChains to tunnel protocols to internal networks.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Ember Bear has used PowerShell commands to gather information from compromised systems, such as email servers.[1] |
| Enterprise | T1133 | 外部远程服务 |
Ember Bear have used VPNs both for initial access to victim environments and for persistence within them following compromise.[1] |
|
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Ember Bear uses the NirSoft AdvancedRun utility to disable Microsoft Defender Antivirus through stopping the WinDefend service on victim machines. Ember Bear disables Windows Defender via registry key changes.[2] |
| Enterprise | T1203 | 客户端执行漏洞利用 |
Ember Bear has used exploits to enable follow-on execution of frameworks such as Meterpreter.[1] |
|
| Enterprise | T1071 | .004 | 应用层协议: DNS |
Ember Bear has used DNS tunnelling tools, such as dnscat/2 and Iodine, for C2 purposes.[1] |
| Enterprise | T1585 | 建立账户 |
Ember Bear has created accounts on dark web forums to obtain various tools and malware.[1] |
|
| Enterprise | T1560 | 归档收集数据 |
Ember Bear has compressed collected data prior to exfiltration.[1] |
|
| Enterprise | T1003 | 操作系统凭证转储 |
Ember Bear gathers credential material from target systems, such as SSH keys, to facilitate access to victim environments.[2] |
|
| .001 | LSASS Memory |
Ember Bear uses legitimate Sysinternals tools such as procdump to dump LSASS memory.[2][1] |
||
| .002 | Security Account Manager |
Ember Bear acquires victim credentials by extracting registry hives such as the Security Account Manager through commands such as |
||
| .004 | LSA Secrets |
Ember Bear has used frameworks such as Impacket to dump LSA secrets for credential capture.[1] |
||
| Enterprise | T1654 | 日志枚举 |
Ember Bear has enumerated SECURITY and SYSTEM log files during intrusions.[1] |
|
| Enterprise | T1110 | 暴力破解 |
Ember Bear used the |
|
| .003 | Password Spraying |
Ember Bear has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.[1] |
||
| Enterprise | T1078 | .001 | 有效账户: Default Accounts |
Ember Bear has abused default user names and passwords in externally-accessible IP cameras for initial access.[1] |
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
Ember Bear deploys web shells following initial access for either follow-on command execution or protocol tunneling. Example web shells used by Ember Bear include P0wnyshell, reGeorg, P.A.S. Webshell, and custom variants of publicly-available web shell examples.[2][1] |
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
Ember Bear has dumped configuration settings in accessed IP cameras including plaintext credentials.[1] |
| Enterprise | T1570 | 横向工具传输 |
Ember Bear retrieves follow-on payloads direct from adversary-owned infrastructure for deployment on compromised hosts.[2] |
|
| Enterprise | T1114 | 电子邮件收集 |
Ember Bear attempts to collect mail from accessed systems and servers.[2][1] |
|
| Enterprise | T1561 | .002 | 磁盘擦除: Disk Structure Wipe |
Ember Bear conducted destructive operations against victims, including disk structure wiping, via the WhisperGate malware in Ukraine.[2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Ember Bear deletes files related to lateral movement to avoid detection.[2] |
| Enterprise | T1491 | .002 | 篡改: External Defacement |
Ember Bear is linked to the defacement of several Ukrainian organization websites.[2] |
| Enterprise | T1046 | 网络服务发现 |
Ember Bear has used tools such as NMAP for remote system discovery and enumeration in victim environments.[1] |
|
| Enterprise | T1119 | 自动化收集 |
Ember Bear engages in mass collection from compromised systems during intrusions.[2] |
|
| Enterprise | T1583 | 获取基础设施 |
Ember Bear uses services such as IVPN, SurfShark, and Tor to add anonymization to operations.[2] |
|
| .003 | Virtual Private Server |
Ember Bear has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.[1] |
||
| Enterprise | T1588 | .001 | 获取能力: Malware |
Ember Bear has acquired malware and related tools from dark web forums.[1] |
| .005 | 获取能力: Exploits |
Ember Bear has obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories.[1] |
||
| Enterprise | T1125 | 视频捕获 |
Ember Bear has exfiltrated images from compromised IP cameras.[1] |
|
| Enterprise | T1021 | 远程服务 |
Ember Bear uses valid network credentials gathered through credential harvesting to move laterally within victim networks, often employing the Impacket framework to do so.[2] |
|
| Enterprise | T1210 | 远程服务漏洞利用 |
Ember Bear has used exploits for vulnerabilities such as MS17-010, also known as |
|
| Enterprise | T1018 | 远程系统发现 |
Ember Bear has used tools such as Nmap and MASSCAN for remote service discovery.[1] |
|
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
Ember Bear has used tools such as Rclone to exfiltrate information from victim environments to cloud storage such as |
| Enterprise | T1095 | 非应用层协议 |
Ember Bear uses socket-based tunneling utilities for command and control purposes such as NetCat and Go Simple Tunnel (GOST). These tunnels are used to push interactive command prompts over the created sockets.[2] Ember Bear has also used reverse TCP connections from Meterpreter installations to communicate back with C2 infrastructure.[1] |
|
| Enterprise | T1571 | 非标准端口 |
Ember Bear has used various non-standard ports for C2 communication.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Ember Bear uses remotely scheduled tasks to facilitate remote command execution on victim machines.[2] |
Software
References
- US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
- Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
- CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.
- Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.