3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Ember Bear

Ember Bear

ID: 88c97d960b72db10e568660ee89430ff48525
Cybercrime Cybercriminal Malware Dev State-Sponsored
Threat types: Intrusion, Cyber Espionage
Russia UKR
Updated: 2026-01-26
Created: 2025-10-22
Progress: 63% Completeness: 60% Freshness: 70%
Operation zone: Ukraine
Aliases Limited alias preview
Cadet Blizzard Lorec53 No***** Sa********
St******** T**** UA****** UN*****
Showing 2 of 8 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Ember Bear (G1003) — Russia-nexus actor targeting Ukraine and allied sectors with phishing/drive-by access, backdoors (e.g., GrimPlant/GraphSteel), credential abuse, data theft for IO, and selective destructive activity (e.g., WhisperGate).


Technique Technique name Tactics Evidence
T1566 Phishing TA0001
  • 2022-03-15 — UAC-0056 activity delivering fake 'Ukrainian translation' installer that drops GrimPlant/GraphSteel. · ref
T1189 Drive-by Compromise TA0001
  • 2020–2022 — Drive-by/watering-hole style delivery referenced across G1003 write-ups and ecosystem reporting. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2020–2024 — Abuse of valid credentials for persistence and movement in government/telecom environments (noted in advisories tied to Unit 29155 activity). · ref
T1105 Ingress Tool Transfer TA0011
  • 2022 — Ingress of backdoors and beacons over C2/web channels during UAC-0056/Ember Bear campaigns. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2020–2024 — Exfiltration over C2/web in support of IO and follow-on operations. · ref
T1561 Disk Wipe TA0040
  • 2022-01 — Use of destructive wiper (WhisperGate) in early 2022 attacks against Ukraine attributed to this cluster lineage. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T18:26:05+00:00
Ember Bear — Russia-Nexus Espionage & Information-Operations Actor (G1003)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Ember Bear is a Russia-nexus intrusion and influence-enabling actor tracked by MITRE as G1003 and by vendors/governments under aliases including UAC-0056, TA471, UNC2589, Lorec53, Nodaria (and sometimes conflated with Saint Bear / Cadet Blizzard / Storm-0587). Public analysis ties portions of the cluster to GRU Unit 29155; observed objectives include credentialed access, data theft, and support to information operations, with destructive activity (e.g., WhisperGate wiper against Ukraine, January 2022) cited in several assessments. Targeting has centered on Ukraine’s government/telecoms, with spillover to European/Americas critical infrastructure entities. Confidence: high on targeting/TTPs; medium on precise sub-cluster boundaries and naming.

Russian state-aligned cluster focused on operational access that can be weaponized for IO/psychological impact and, episodically, disruption. CrowdStrike emphasizes intent to erode public trust and degrade government response by pairing intrusions with narrative operations.

Strategic objectives: (1) Intelligence collection and options for follow-on effects; (2) perception shaping via timed leaks/claims; (3) selective destructive actions in wartime contexts. Public-facing claims and wiper events amplified fear and uncertainty around Ukraine’s institutions in early 2022.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.