EXPLORE
Sign In
← Back to Actors

Ember Bear

Ember BearUNC2589Bleeding BearDEV-0586Cadet BlizzardFrozenvistaUAC-0056

[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](htt...

48
Techniques
45
Covered
3
Gaps
94%
Coverage
Coverage45/48

GAPS (3)

T1583.003Virtual Private ServerT1585Establish AccountsT1588.005Exploits

COVERED (45)

T1003OS Credential Dumping113 det.T1003.001LSASS Memory111 det.T1003.002Security Account Manager49 det.T1003.004LSA Secrets18 det.T1005Data from Local System47 det.T1018Remote System Discovery50 det.T1021Remote Services101 det.T1036Masquerading525 det.T1036.005Match Legitimate Resource Name or Location44 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1053.005Scheduled Task99 det.T1059.001PowerShell368 det.T1070.004File Deletion42 det.T1071.004DNS34 det.T1078.001Default Accounts9 det.T1090.003Multi-hop Proxy9 det.T1095Non-Application Layer Protocol23 det.T1110Brute Force90 det.T1110.003Password Spraying66 det.T1112Modify Registry203 det.T1114Email Collection18 det.T1119Automated Collection12 det.T1125Video Capture3 det.T1133External Remote Services72 det.T1190Exploit Public-Facing Application216 det.T1195Supply Chain Compromise40 det.T1203Exploitation for Client Execution75 det.T1210Exploitation of Remote Services35 det.T1491.002External Defacement1 det.T1505.003Web Shell63 det.T1550.002Pass the Hash10 det.T1552.001Credentials In Files61 det.T1560Archive Collected Data12 det.T1561.002Disk Structure Wipe3 det.T1562.001Disable or Modify Tools311 det.T1567.002Exfiltration to Cloud Storage29 det.T1570Lateral Tool Transfer22 det.T1571Non-Standard Port16 det.T1572Protocol Tunneling56 det.T1583Acquire Infrastructure1 det.T1588.001Malware2 det.T1595.001Scanning IP Blocks6 det.T1595.002Vulnerability Scanning12 det.T1654Log Enumeration1 det.