← Back to Actors
Ember Bear
Ember BearUNC2589Bleeding BearDEV-0586Cadet BlizzardFrozenvistaUAC-0056
[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](htt...
48
Techniques
45
Covered
3
Gaps
94%
Coverage
Coverage45/48
COVERED (45)
T1003OS Credential Dumping113 det.T1003.001LSASS Memory111 det.T1003.002Security Account Manager49 det.T1003.004LSA Secrets18 det.T1005Data from Local System47 det.T1018Remote System Discovery51 det.T1021Remote Services105 det.T1036Masquerading572 det.T1036.005Match Legitimate Resource Name or Location45 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation88 det.T1053.005Scheduled Task100 det.T1059.001PowerShell372 det.T1070.004File Deletion43 det.T1071.004DNS35 det.T1078.001Default Accounts9 det.T1090.003Multi-hop Proxy9 det.T1095Non-Application Layer Protocol24 det.T1110Brute Force90 det.T1110.003Password Spraying66 det.T1112Modify Registry203 det.T1114Email Collection18 det.T1119Automated Collection12 det.T1125Video Capture3 det.T1133External Remote Services74 det.T1190Exploit Public-Facing Application227 det.T1195Supply Chain Compromise40 det.T1203Exploitation for Client Execution79 det.T1210Exploitation of Remote Services35 det.T1491.002External Defacement1 det.T1505.003Web Shell65 det.T1550.002Pass the Hash10 det.T1552.001Credentials In Files61 det.T1560Archive Collected Data12 det.T1561.002Disk Structure Wipe3 det.T1562.001Disable or Modify Tools316 det.T1567.002Exfiltration to Cloud Storage31 det.T1570Lateral Tool Transfer23 det.T1571Non-Standard Port17 det.T1572Protocol Tunneling59 det.T1583Acquire Infrastructure1 det.T1588.001Malware2 det.T1595.001Scanning IP Blocks7 det.T1595.002Vulnerability Scanning13 det.T1654Log Enumeration1 det.