THREATOPS Actor Dossier
LIVE ← Dashboard

Ember Bear

G10030 reports
aliases · Ember Bear · UNC2589 · Bleeding Bear · DEV-0586 · Cadet Blizzard · Frozenvista · UAC-0056
Export dossier:
0
Reports
0
Techniques
0
Tactics
0
Countries
n/a
Hunt coverage
7
Aliases

Analyst assessment — key judgments

  • No recorded activity: 0 report(s) in last 30d vs 0 prior (+0%).
  • Assessment confidence: n/a.

Activity & trend

InactiveLast 30d: 0 vs 0 prior (+0%)
0
7d
0
30d
0
90d
0
All
0.0
Rpts/wk
Reporting timeline · 12 months

Overview

Analyst triage
Intelligence summary

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation
            • No ATT&CK techniques associated yet.

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected