← Back to Actors
Ember Bear
Ember BearUNC2589Bleeding BearDEV-0586Cadet BlizzardFrozenvistaUAC-0056
[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](htt...
48
Techniques
45
Covered
3
Gaps
94%
Coverage
Coverage45/48
COVERED (45)
T1003OS Credential Dumping106 det.T1003.001LSASS Memory105 det.T1003.002Security Account Manager45 det.T1003.004LSA Secrets16 det.T1005Data from Local System46 det.T1018Remote System Discovery46 det.T1021Remote Services94 det.T1036Masquerading493 det.T1036.005Match Legitimate Resource Name or Location44 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1053.005Scheduled Task82 det.T1059.001PowerShell338 det.T1070.004File Deletion40 det.T1071.004DNS31 det.T1078.001Default Accounts8 det.T1090.003Multi-hop Proxy8 det.T1095Non-Application Layer Protocol23 det.T1110Brute Force85 det.T1110.003Password Spraying65 det.T1112Modify Registry197 det.T1114Email Collection17 det.T1119Automated Collection11 det.T1125Video Capture3 det.T1133External Remote Services72 det.T1190Exploit Public-Facing Application208 det.T1195Supply Chain Compromise40 det.T1203Exploitation for Client Execution71 det.T1210Exploitation of Remote Services33 det.T1491.002External Defacement1 det.T1505.003Web Shell57 det.T1550.002Pass the Hash9 det.T1552.001Credentials In Files53 det.T1560Archive Collected Data11 det.T1561.002Disk Structure Wipe3 det.T1562.001Disable or Modify Tools300 det.T1567.002Exfiltration to Cloud Storage27 det.T1570Lateral Tool Transfer20 det.T1571Non-Standard Port16 det.T1572Protocol Tunneling51 det.T1583Acquire Infrastructure1 det.T1588.001Malware2 det.T1595.001Scanning IP Blocks6 det.T1595.002Vulnerability Scanning12 det.T1654Log Enumeration1 det.