Threat Actor Profile

Ember Bear

Emerging in 2021, Ember Bear—commonly recognized as UAC-0056 or Lorec53—is a Russian state-sponsored cyber espionage group closely tied to the GRU. Known for spear-phishing and wiper malware like WhisperGate, they target critical infrastructure, governments, and defense sectors, often leveraging destructive tactics alongside data theft.

Threat Actor Profile

Ember Bear

Country of Origin

Based on credible assessments, Ember Bear operates as a Russian state-sponsored group with affiliations to the GRU, specifically Unit 29155.

Members

The precise size of Ember Bear’s team is unclear; however, its operations suggest a well-coordinated and resource-backed organization. Aliases such as Nodaria and DEV-0586 are associated with this cluster.

Leadership

The exact leadership structure of Ember Bear is unknown. The group utilizes aliases such as Saint Bear, Frozenvista, and Cadet Blizzard, though specific leaders remain unnamed publicly.

Ember Bear TTPs

Tactics

The group primarily focuses on espionage and long-term intelligence gathering but has demonstrated capability for wiper attacks targeting Ukrainian entities.

Techniques

Their tools and methods include spearphishing with malicious documents, persistence through web shells, and exploitation of remote access tools for lateral movement.

Procedures

Notable procedures include deploying tools like WhisperGate wiper malware, document stealers such as OutSteel, and backdoor malware like GraphSteel and GrimPlant.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

WhisperGate Wiper (2022)

A destructive campaign targeting Ukrainian governmental bodies using wiper malware.

Ukrainian Website Compromise (2021–2022)

Persistent presence through web shells, leveraged to deploy backdoors like CredPump and HoaxPen.

Law Enforcement & Arrests

To date, there have been no public reports of successful arrests or law enforcement actions specifically dismantling Ember Bear’s operations.

How to Defend Against Ember Bear

Organizations should employ robust email security measures to block phishing attempts, monitor web servers for unusual activity, and use endpoint detection tools to detect malicious processes.

Effective network monitoring and regular patching of systems are vital for mitigating threats from Ember Bear.

Try Huntress for Free

Schedule a Demo

References

https://attack.mitre.org/groups/G1003/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

https://heimdalsecurity.com/blog/russian-threat-actors-target-critical-infrastructure-in-the-us-and-across-the-world/

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free